-
-
Notifications
You must be signed in to change notification settings - Fork 155
Unorganized Notes
The HUD is a new way of using ZAP that runs as javascript injected into web pages being proxied by ZAP. The injected javascript builds a client side interface that overlays on top of the proxied web page, which we call the HUD. The HUD is built from iframes, web workers, service workers, postMessages, and ZAP API calls.
The HUD displays various buttons that correspond to different features of ZAP - like adding a page to the scope, spidering, active scan, etc... The HUD sends API requests from the browser to ZAP to interact with these features.
One of the buttons on the HUD uses the break feature of ZAP. This is how (I think) it works:
- The user presses the break button.
- An iframe (the display frame) expands to fill the screen and show a dialog message that asks if you'd like to start breaking
- Selecting yes will send an API request to ZAP to turn on break and shrinking the display frame. The user loads a new page, perhaps by clicking a link.
- ZAP intercepts this request. A web worker (already running) has been polling the ZAP API, and receives a response indicating break has intercepted an http message.
- The web worker passes the contents of the http message to a service worker via postMessage.
- The service worker (hosting all of the scripts that define the different feature interactions) receives the message and passes it to the display frame.
- The display frame shows the message asking if the user would like to step or continue.
- Selecting step will send an API request to ZAP to step (sending the intercepted request) and close the display frame.
- ZAP will then release the intercepted request.
- Eventually ZAP will receive the server's response and intercept it.
- The web worker (still alive and polling) will receive a response indicating break has intercepted an http message.
- The web worker passes the contents of the http message to a service worker via postMessage.
- The service worker (hosting all of the scripts that define the different feature interactions) receives the message and passes it to the display frame.
- The display frame shows the message asking if the user would like to step or continue.
- Selecting step will send an API request to ZAP to step (sending the intercepted response) and close the display frame.
- At this point the browser will receive the respone and begin to tear down the old page.
- This will kill the web worker. Polling (and our only communication with) ZAP will stop.
- As the new web page is parsed, the browser will find external resources that need to be loaded: images, scripts, iframe html, stylesheets, etc...
- The browser asynchonously requests these resources, with NO GUARANTEE on order of requests (though resources earlier in the document tend to get requested earlier)
If the HUD is not cached:
- The first resource on the target page that is requested will be intercepted by ZAP, and thus halting any of the following requests queued up in ZAP to be processed, including the HUD.
- Which means there is no HUD UI to interact with to release the intercepted message
- The HUD will not be displayed until the continue button on the Desktop ZAP is bressed.
OR
- The browser can also only request a limited number of resources at the same time, which means if it is attempting to load 12 other resources before trying to load the HUD, and all of those resources are caught at ZAP, then the HUD won't even be requested by the browser.
If the HUD is cached: It loads completely fine regardless of any other resources being loaded by the web page.
I've done a lot of brainstorming around trying to force the browser to load the HUD resources before the other resources are requested, but its really hard to try to trick the browser into GUARANTEEING anything from a naturally asynchronous process
The best solution in my mind is to have ZAP identify when a response is going to be sent while breaking, and then force a browser pre-cache of the HUD, which will fix the problem.