OWASP ZAP Heads Up Display
The HUD is a new interface that provides the functionality of ZAP directly in the browser.
How does it work?
A Summary of the main components and how they are initialized.
Work in progress – please update to add/remove/correct anything!
- injectionHtml.html
- Injected into every HTML page by the HUD when the HUD is switched on
- Only runs on the top frame
- Loads inject.js
- Creates management iframe
- inject.js
- Runs on the target domain
- This keeps running in the page
- Receives events from the ZAP domain:
- showPanel
- showTimeline
- hideTimeline
- showMainDisplay
- hideMainDisplay
- expandPanel
- …
- Creates main-display
- Will have any functions that need to run in the target domain.
- i.e. analyzing the target page, adding images, markup, etc…
- management.js
- Initialized serviceworker.js – this only happens once, ever, unless there is a new HUD code, which will then cause the service worker to update
- Starts pollWorker.js
- Passes messages from the service worker to the pollWorker to do actions such as:
- refreshTarget
- increaseDataPollRate
- decreaseDataPollRate
- showTimeline
- hideTimeline
- serviceworker.js
- A ServiceWorker
- Loads all of the tools (currently hardcoded)
- Only way to interact with tools?
- the tools are organized in different files, but all are imported into the service worker, and so run as the service worker. Any frame can send/receive postMessages to/from the service worker (all of the tools)
- pollWorker.js
- A WebWorker
- Polls the HUD for updates
- Posts the messages to management.js which posts them to the serviceworker
Changelog v0.19
- Update minimum ZAP version to 2.15.0.
- Disable the HUD by default – it still works but its flaky, and currently not a focus for us.
