ZAP-HUB: OWASP ZAP Heads Up Display
OWASP ZAP Heads Up Display
The HUD is a new interface that provides the functionality of ZAP directly in the browser.
How does it work?
A Summary of the main components and how they are initialized.
Work in progress – please update to add/remove/correct anything!
- Injected into every HTML page by the HUD when the HUD is switched on
- Only runs on the top frame
- Loads inject.js
- Creates management iframe
- Runs on the target domain
- This keeps running in the page
- Receives events from the ZAP domain:
- Creates main-display
- Will have any functions that need to run in the target domain.
- i.e. analyzing the target page, adding images, markup, etc…
- Initialized serviceworker.js – this only happens once, ever, unless there is a new HUD code, which will then cause the service worker to update
- Starts pollWorker.js
- Passes messages from the service worker to the pollWorker to do actions such as:
- A ServiceWorker
- Loads all of the tools (currently hardcoded)
- Only way to interact with tools?
- the tools are organized in different files, but all are imported into the service worker, and so run as the service worker. Any frame can send/receive postMessages to/from the service worker (all of the tools)
- A WebWorker
- Polls the HUD for updates
- Posts the messages to management.js which posts them to the serviceworker