Add script to allow force user agent

adevinta · Feb 7, 2025 · f73a5c1 · f73a5c1
1 parent e914f6f
commit f73a5c1
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 18 deletions.
diff --git a/cmd/vulcan-zap/Dockerfile b/cmd/vulcan-zap/Dockerfile
@@ -3,8 +3,7 @@
 FROM zaproxy/zap-bare:2.16.0
 USER root
 
-RUN apk --no-cache add chromium \
-    && chown -R zap /zap/
+RUN chown -R zap /zap/
 
 USER zap
 

diff --git a/cmd/vulcan-zap/main.go b/cmd/vulcan-zap/main.go
@@ -15,7 +15,6 @@ import (
 	"strings"
 	"sync"
 	"text/template"
-	"time"
 
 	check "github.com/adevinta/vulcan-check-sdk"
 	"github.com/adevinta/vulcan-check-sdk/helpers"
@@ -28,6 +27,7 @@ import (
 const (
 	checkName   = "vulcan-zap"
 	contextName = "target"
+	userAgent   = "Vulcan - Security Scanner - [email protected]"
 )
 
 type options struct {
@@ -48,10 +48,12 @@ type options struct {
 }
 
 type tmplOptions struct {
-	Opts        options
-	URL         string
-	IncludePath string
-	Dir         string
+	Opts           options
+	URL            string
+	IncludePath    string
+	Dir            string
+	UserAgent      string
+	ForceUserAgent bool // DOUBT: This is the only way to ensure all the requests have the same User-Agent. Do we want to force it?
 }
 
 const configTemplate = `
@@ -61,6 +63,19 @@ env:
     urls: [ "{{ .URL }}" ]
     includePaths: [ "{{ .IncludePath }}" ]
 jobs:
+{{ if .ForceUserAgent }}
+- type: script
+  parameters:
+    name: set-user-agent
+    type: httpsender
+    action: add
+    engine: "ECMAScript : Graal.js"
+    inline: |-
+      function sendingRequest(msg, initiator, helper) {
+        msg.getRequestHeader().setHeader("User-Agent", "{{ .UserAgent }}");
+      }
+      function responseReceived(msg, initiator, helper) {}
+{{ end }}
 {{ if .Opts.OpenapiUrl }}
 - type: openapi
   parameters:
@@ -81,12 +96,12 @@ jobs:
   parameters:
     maxDuration: {{ .Opts.MaxSpiderDuration }}
     maxDepth: {{ .Opts.Depth }}
-    userAgent: "SHIT spider"
+    userAgent: "{{ .UserAgent }}"
 - type: spiderAjax
   parameters:
     maxDuration: {{ .Opts.MaxSpiderDuration }}
     maxCrawlDepth: {{ .Opts.Depth }}
-    browserId: chrome-headless
+    browserId: htmlunit
 - type: passiveScan-wait
   parameters: {}
 {{ if .Opts.Active }}
@@ -214,10 +229,12 @@ func main() {
 		}
 		sb := new(strings.Builder)
 		err = tmpl.Execute(sb, tmplOptions{
-			Opts:        opt,
-			URL:         targetURL.String(),
-			Dir:         tempDir,
-			IncludePath: includePathRegex,
+			Opts:           opt,
+			URL:            targetURL.String(),
+			Dir:            tempDir,
+			IncludePath:    includePathRegex,
+			UserAgent:      userAgent,
+			ForceUserAgent: false,
 		})
 		if err != nil {
 			return fmt.Errorf("unable to execute template: %w", err)
@@ -243,9 +260,7 @@ func main() {
 			"-dir", tempDir,
 			"-cmd", "-autorun", file,
 			"-config", "database.recoverylog=false", // Reduce disk usage
-			"-config", "network.connection.defaultUserAgent=SHIT",
-			"-config", "method.connect.default.user.agent=FUCK",
-			"-config", "rules.domxss.browserid=chrome-headless",
+			"-config", fmt.Sprintf("connection.defaultUserAgent='%s'", userAgent),
 			"-port", strconv.Itoa(zapPort),
 			"-notel",  // Disables telemetry
 			"-silent", // Prevents from checking for addon updates
@@ -262,8 +277,6 @@ func main() {
 		default:
 		}
 
-		time.Sleep(10000 * 1e9)
-
 		// Exit codes:
 		// 0: Success
 		// 1: At least 1 FAIL