OWASP ZAP is a very popular attack proxy typically used in Web Application penetration tests. Think “Open Source BurpSuite“, and that’s ZAP in a nutshell. It has become my go-to tool for penetration tests, and it definitely is a fantastic piece of software that ticks all my boxes – except one.
The problem : Note taking
ZAP helpfully allows you to add notes to each request made through the proxy. This is easily done through the “History” pane by right-clicking on a request, and clicking on “Note…”
This allows you to annotate specific requests where you’ve found something interesting or need to remember for your pentest report, etc. The problem is that ZAP currently doesn’t offer a way of seeing all the notes you’ve taken at once. All it does is show “note icons” in the History pane, indicating a note is present for that particular request:
It would be useful to be able to see a summary or overview of all these notes – especially when you’re firing up ZAP first thing in the morning and need to remember what you were up to the day (or worse… the month) before during pen-testing.
One solution: a basic “All In One Notes” extension
ZAP is written in Java, with a GUI based on Java Swing. My objective is to extend this GUI and include an “All In One Notes” pane that shows a tabular summary of all notes present in the session. Later revisions of this extension should be a lot more interactive, allowing for navigating to the corresponding request and so on, but for now a simple text pane would suffice. This is the result:
Much easier to see what’s going on with all your notes!
Developing the extension
– Clone the “alpha” branch of the “zap-extensions” github repository
We need some scaffolding to get us started with the extension, so go ahead and download the alpha branch of the zap-extensions github repository here:
https://github.com/zaproxy/zap-extensions/tree/alpha
Once you’ve downloaded and extracted the repository in some directory, navigate to the directory and the following subpath:
zap-extensions-alpha > src > org > zaproxy > zap > extension
There you should see a folder called “simpleexample“. Copy that folder and give it an appropriate name that reflects your new extension. In this example we created a new folder called “AllInOneNotes“.
– Import the code into your favorite IDE
In my case, the IDE of choice is IntelliJ. So fire up IntelliJ and select:
File > New Project > Project From Existing Sources
Step through the import wizard, in my case everything was left as per defaults.
– Import the ANT build.xml file
Unfortunately the ZAP team chose to go with ANT rather than maven, but no big deal. In IntelliJ, on the right hand side, click on “Ant Build” and click on the “+” sign to add a valid XML. The build.xml file should be under:
zap-extensions-alpha > build > build.xml
Once you import the XML, IntelliJ should display all the ANT build targets:
In order to get a deploy target for your custom extension, you need to add a deploy target, so open the build.xml file and search for
deploy-simpleexample
This is the target entry for the “simpleexample” extension. We need a similar target so copy/paste a new entry right underneath that should look like so:
<target name="deploy-simpleexample" description="deploy the simple example add-on">
<build-deploy-addon name="simpleexample" />
</target>
<!-- New Entry for custom extension -->
<target name="deploy-allinonenotes" description="deploy the all in one notes add-on">
<build-deploy-addon name="AllInOneNotes" />
</target>
You should now see a new deploy target in the IntelliJ ANT build as per the above screenshot.
Code the extension appropriately
The main file you’d need to edit is under “src>org>zaproxy>zap>extension”, find your custom extension directory. A full code listing can be found at the end of this article.
A few notes and tips:
- Make sure to edit “src > org > zaproxy > zap > extension > ExtensionName > resources > Messages.properties“.
- Also ensure you edit the “ZapAddOn.xml” file appropriately
- At the moment the extension does not reload notes automatically when they are changed / added / deleted. You need to do this manually within ZAP via the Tools Menu > All In One Notes: Reload
Build and use the extension
This stage is straightforward. Click on the deploy target for the ANT build. In my case it’s deploy-allinonenotes as discussed above. This will create a new file under the directory
zap-extensions-alpha > build > zap-exts
If all goes well you should see a new .ZAP file here. In ZAP, you can now load this new extension via “File > Load Add-On File”
That’s it! You can find a copy of the ZAP file for this extension here
