From b6ffeb4acf57af67fcc20ed4968ada5b56f24af2 Mon Sep 17 00:00:00 2001 From: kingthorin Date: Wed, 16 Oct 2024 07:49:30 -0400 Subject: [PATCH] replacer tip: Add x-bug-bounty header Signed-off-by: kingthorin --- .../tips/replacer/match-and-replace/README.md | 29 +++++++++++++++++- .../match-and-replace/images/xbb-header.png | Bin 0 -> 6744 bytes 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 other/tips/replacer/match-and-replace/images/xbb-header.png diff --git a/other/tips/replacer/match-and-replace/README.md b/other/tips/replacer/match-and-replace/README.md index 4cb3807f..bdd00e37 100644 --- a/other/tips/replacer/match-and-replace/README.md +++ b/other/tips/replacer/match-and-replace/README.md @@ -260,7 +260,34 @@ extReplacer.getParams().addRule(newRule); ## Misc -- Help companies to identify your traffic and separate it from malicious traffic by adding a custom header +- Help companies to identify your traffic and separate it from malicious traffic by adding a custom header (ex: `X-Bug-Bounty`, or `X-Header-Hackerone`). + +![](images/xbb-header.png) + +For example a header that: +- includes your username: `X-Bug-Bounty: YourBBUsername` or email: `X-Bug-Bounty: user@domain.com` +- includes a unique or identifiable flag: `X-Bug-Bounty: ID-` + +Source: + +
+Add X-Bug-Bounty header + +```js +// This script adds a Replacer rule +var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer"); + +var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule"); +// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR +var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType"); + +// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107 +var newRule = new replacerRule("Add XBB header", "", matchType.REQ_HEADER, "X-Bug-Bounty", false, "YourBBUsername", null, false, false); +extReplacer.getParams().addRule(newRule); +``` + +
+ ![](images/hackerone-header.png) diff --git a/other/tips/replacer/match-and-replace/images/xbb-header.png b/other/tips/replacer/match-and-replace/images/xbb-header.png new file mode 100644 index 0000000000000000000000000000000000000000..5cb3fac75cf8ba426040ac568a43a17f781258ee GIT binary patch literal 6744 zcmZ{J1yozhw>Q1CP}~Z|a|;a=DH7aDky4<@#T|+SC@#gVhFc*7DOR93!J$Bq(n8YU z6bVu+5G=S8>_PAUTi<(ctv73(b7s%%*|TT%-e-O@6aA0Ya|%*sQUU@33N=+_T>^r? zY_Ib+cZsgwtYo9R*PmP7y3Z8}DhF8Cu8G?Y3YrQ81T~3d=hkOo#^yHk){-DobNTGBw&x?PX*u^<*-Hw$BWc_H_1hSeGa5 z-P>*nAL`rIhP75A_N2Yh&M&s7&ffo(=j}ZLlJFDNJXv%z{p*3C2%3R(sh^~utX}Pl zvCzW_%5k%5I_}qwuLtYk$%cHdfRnXAsky;8#8ikO+<8-b@G{3C7s{`sq$EsDLqnsZ zX1qMt^ajOvlaDqYzuF|?vQ@rLK$~XUHLnr7iqaaLAeEbv?o=a?Z%gs>Opfc6Z&UW` zlJ=$%NnDddMJR%Nlj)kGi61RVu95EuGyj(>iO~mSU*+xS9d(^b{$Ullk)*Gvfw-a7 zqyFudBtEcj;y{Y6Dd-ia(_;qM?WpdEp)mX-%F~E?sc`r&55Dmk!^C#^t**TGrIzUH zmR!mChjA46xlU*I4PEx_Y&w+b$m4VevHtxVxs`zs`~Kzyrp*8qA72@cq$qKy9Srtt zXGD7!yCx#+m%tX4)%kp(;}JMFk8+=7eJ8CN(5A#-UK2PpH5?O8Cc7hUtV6%0v?^#5 z`UBSFHwkkrX~0C7xhuq?-xKvpf#rmq<(8wtk@zv6(LncZjIR$iHO%NNMm)eLmxkpqk7ZDF19ga zY}@l~Wa!Si1M$8nU{HUB*!`VZ7Wht4*xiO4pz-L(sRAyvXOQ0YuoI43$3C~0s+mM; zludQvae}PfnKHf@80Y<=&oIthS0$He?(tLn0H^w|=hyQsniG>6hkCf4Ggh90+~nxo z1xUp}IGQsAXhrx0K6kiN8>BwS+LR%VEo8?F?f}-ek)ONY?dQAv^H5!E+!Us4Ahv|u zo|TO0BobtJZ1yhv5cH}{0cP%^BFEh2e0GLU@gYBA)1eiY8sN`$T{M>u^jVy_u>(R+ z2N~DavUnG7R|Qc;5Csu8&_><m~^7 z-tmjYXm03ph0;+zY<0bhv`VbXmG0WGP~BmOu#`A%FmzJJJ{&pyIpJ8^i_)=0uUWsT zm1I?ZuMw2P@3yK)@hQz2Ts&4|AGo5;W%V?r}( zuRZ`2A_)a{&5uGu&Vr7u-=?NB6(3f1wZ9|oI8HoSkiVh}{kY zo@iK!EdoCm$QGoO)8#K1%&e%4{!tjmt(RL=QhUzCea`;7#@u43C;oVWIFTRAmT?on z3-n@4<+bGVe$&UCt0wQ=1-*IH#sNnUJWoB@&Uaq*GP7OHu|@G;%7B|4#;54gWCA3B z*Y?%4lj~Uj$Mi!{f_j$nK?z4U4iN=9ou8nYaPieQAt>$*e>FB% zQl`F1#$o{Cl6ZRKU~3G&gPl2;;9FD9!r-1Xk6p|&^XBAFf$`EznZk>Kt^;F*?RmE@ zLPDnQ4R?KOD)Q=T`r^fD3u2~p)?5AyK$K$VvPI!7Bq{ljwuaACjTZSwnRwxVS0FtO zuK(vt|57E74Vr*Nfh>hqPnr zx|*Lte*AW*Um>Y62FaJ#O?Ss~PU-7z9;`7+q7$d4OkK6?g&m07cYjI;Hx#hNPEXS& zCNy$skg_5(tYaJP7M5WF_x$Gn)(Y1{=egD0$p!2@utSAi)T9%>5D%gIYN=&aoHXXt z9iI2V)d};@9QcPWfvA&t^gtkEGtX4(&?(@S{81jcOB*3Q#pk2nq1JayL2 z1a0?ASyfCcjfZgJ^xXdZApAaE z;)=L?H@ve)hQKItbn$RwAO3b=8^i8y%DtXmefxM3+b`o;`-W;&)l!5O!mT}?qXUlm zo18eylu(aLd3Mcf_C%Mi2KsHwj;#s%k)mAuvDSu}_#*wZsNt`{uv7LR-mt5kYZEf(O z&TRz%Z8LtG&v(2{4fCDD>5@i#j4xoBPzF6}%bH-BEQsmuJf0qfHovzIFp0@Xl@@I% zZbxjSBfYvZGa~RfkHJp@x8Ey}TQq&{&o<`LH|MKyp@ID((uj3x+Yu04mU^7d`(!y9 z|3Hb&8}Q)rQ19tB2Fon^HQL)b!8=7-zU@*k zp?Fu;!K<=Qf4j%WZmzOb{WZWI-A6lZfb()Uph_^TQXSp&!cR;tkmCj|=IrsoC@h~^ z_)#48pRd&M3q~mnKkDFtLlb3RBAU^bMcJWxl1(_i+=2kD^?*OTGG}lN?EkQc+Y*m3}Y% z?!oxFYf?Lgf#dORleR5%+}NtpB9DSGwto`p_C8UR3j?0G%=t3r8B_VT?WjyS>n7mb zzBDSqy(n}s)68Bh1X+k?!Vq;Va@xQS(oEtC11?t9x5hv2O9F8XFcVG3= zYZHbZe3;?!bgVhqomz%Xusq3T@3qe*hMb6vJH-3+xbTVyB(nG{+*O>apOoU&yKs;l z%*f`e8;9rj1;c&o$4}{SKk_4YQjFwhQYWZJ4(+0h(rPX%tCd~&&v;Q<1>?~y%3V=Q6QF=Y&xfZWsY4@eR0^JdgN-gb->}Tu!=7@! zAH^knMpjjZy>yod{LTJY6`bKVT}+92`AF<1j~46w&8dXRpt9P|JfLf5h}rIM$`0v; zy(owhLA&1im+r50gBMQn?|M*NQu2@!&s1cIOqO{V*Ba6w>#k3{1$h?85B?Z>IsGtUB=xaVb}IZyzr|Gs!ZUS(?TrM|mvi;Wyk0JE zJjq49c}EMN`M9GR-DP-U%nZFFMkq5S zUIrlYVKWtivtmq=D}{B@?^!t(PEm60jWVc0<=V<0Wt3Anbr0PcO z_()RHLKANlU_nhSH|p>(S8o~Bq4AS9N;WBKeGX`Q(hA_NpA4MDF=o?ryYU8aXpFw^ zSy{4%e5iN|+KR1C)OSJc=WZ~?bbnu+EdUykm<;H|oZ~twJhQ|E`WnrmY+%J+YseTT z!0990HWP&DST0eHv`QP+YKL}Qml9)2sU5?mS3c2B`$W#=#x7L8 z)vsN9`)5kY%M8;Z9Ia7Yt-%-e0#-GD)9nc1q`tu=6r?72EjdM*Um)ir%Bz_bTK8F! zrg=Cx^0}Jfffrg>x**CzDq#;L#_p}q)Q+VFnLG7a=B|Uw zue=bR<4r%^;m!2Ua!@`qLF4u|TX1$w5J~zO9lU4-e>RViEDJZ*)eQ zuof87(4oEvS>QdzxROs#F|mR>@*SaKk7;5d``~8tgq~@VT*rI-wLpQwhf6xhM=Gpv z=77@QZ6IvI(g~JrB;wgE(3k^^Rm9Mj=x9sfE314-d^xCG+aO>x%-%B#=!(zzj=uP zJy>a19*Zt+%dltq$)+ZJ9-nLxA4V5}@NDe-AUYUzEIu8?YZeM05Y&i^4Nz}=ohB}> z=v&iK2Tt4*V^TLcPiG>2R2&_(`1?~M%pX{{?m65ensra_Sg@HYya(ziOjAznRY976 zmr2W}$R|#qeVJ48`-B0CZv5!}>nbC5*j@KC==h6Vxm2(Ak|Gphl))d>Ogi`UVrrgQLHPl)L_ennaRwgfret zSqNy9r;?aBSuqCv*(@W{H%^lm<7`|1Ab!!y4RM*G;8&yrp}%5tzD4p-{fnJ!H7;|o zPlcicUn_ND{zZE6H7E!-_(J-N4%K`|$O4BeJdJ0j%W`wJY&I^JC!1?|LBkSz$E6V0qy zWI}zqQUK%wmX*Zc%;9s~ zshq!Cq*Z1)0?YelfF<7CGu0{}u+J`28yZP?(rZ#jd{=pRm1hh5YrY*e;S>6RL85$Q zk8no(LdbWEqD+MP+rWy%VzFRriEPeH;N8Z7NY7%C9Oo5YZuK;otvCeV0OOz$Uo7y0 z-w~_I#LOqjS#|Rml^>Ppke=7O)s}_3!mo}fymNMw_{PiqWP#p^5ogFJSp@ zY~=OmRSO(){Pm?)ulj44N0Cb`LVLVPq=!Cogdz6Cv2z8#Se`qMRDcjxrW#6~k?-3F%`9h2ZK(*&$Y!NfM1?d1&4BV>^M{AdGM7`%kEGMZy$LG-1r)1b?ldVxykh*k^# zK)qsG_g6knIX<>auh|T%a-j_HXuQ#>{0PpzA#L|bUu8x(F}nP09=6^&yiOk-l01SO zpe)CsYUPc}HRitLq6!zRHL|7Yec=>I`~f6Eh!_-Bp}>(Rn|Y_R7^nGhxypiMI?rg7 zL0@8MNtLMDBqImd1dt(gDw%K{tvHqDDkdAF%faS#dzvms z*gkhp_38sz?3ngfa0PPYC{iUHWlYm7i}{gf(8nEoOEeG?9fM~3*69!ST>qOgVsu`d zuh;Hr&fVW`%1Ve{Ww+OIyNo%3=kT7zwfNYNfdah-mBrJ!s<#)UWmqw#EmbrJCu6m5 z+h+1X2af>yvE7Miad*v}5@N-um8<5ft3I6moq3r;xx!==yPryUmx*o>KE%9k4{ns9VdJTB2) zVN_SsnYWqA%0La+H}s!Lm-6jjw>P*wLtNhrC&aXo;)=1g>zCMB05b)b?K2K|Q05HB ziJ3$RpvNE{<6U;AtoOlpDYb-vyV+>2z8>-v0W35>yzWfMrDc{EYQ6D&e|m@_WZS%Q zFL-jeQ3n>B6PmAA{}+Tl`XTW!SFfnl)$@HH-B;jP_(@G_A~)JUC4e(QgozXL@MGYM zH)Zpij2O)vm%a0`WZCG$XoyE$FWL6Nd5}WMi5;iHk#W&O;4`^PTeGSj= zyN_*IC>Hx;j3n$UGRY7vffYhbd<=y_c%jhJvzJ?>O$$(fy3z~foZqY?4J37-f@Sgg zoNWZW{X)_|^g+wk&rrx46J2gB@1Q`#UVxUfC(3Z-U%*tJ(#THB&96CdCA=?Ps$mxm zhscDc%G#T3z3i14u#2->52q!aO?WW7MDnF_XDg;+sZs0Bn-*UxmsVwyP{hv3ef=ul zvm~I&u$b(U(3>;~XW@34m~kjR;%F78GSbrgvZ5SG3aQ~pN_%u@fz>_NEp)j!QMMUp z(9Y>X!8BP!z=lQK^8a|bD4e_H(GgP?oA*k@`0>OJ2CFpphzM_$v-;zgey}-p=hdsk z&n!DV)BkyuTdT#}thhMv2sl8_&3&2?oy#fGt?GP>`=1NnUuYn+x;2cr*A76MXW57a z_IQb=B0D|?8q841m`+0$%SJ7i!#Rp|ApUjuN=KgpwHfoM{7ovbzObKOj(l#IM8dP% z&91E5MJa&l=~NkyqvHs;z4FM)lmX0xC}FXU^OkX%{0HJ~r{|G!?{cioFmB&JJK8(& zK~ku8ihR;{i>-?8Y66CSl097prhl!m*^^SGJ8l_N~qd2+e^e zky(Xw&H?^Zq3;mWp|MiL&%?Gb#ksiByACn1GWOTVjWxeB^?)vKCyi&-xcePHkTxv# zXVh8tO=p_-!#ZQrtPlCS_u!-Oz_C}vif2rjKxkpYquE`F=sH=9&=O8%6n@JJz2#y4 z+mo*STwzZJ&u=ZCf4z-=E6`xxQKdWUQ!sh3!##;x9unKytJ^Yac-%lnVdIjCLH=A6l0&O5sqi47Ub`f4_NhUcJ58x8Q) zl#+k5s+EwsGPHO|FeF@p5koHO1<^2cU>hWMr6p zL<5y?xWARxg~b{3$GJhQY90ZxMkEY*F2{*ci065z^wwXJ;GTQrw0*^}oYC5y-Y*=1h%8EOB4T2ilU2^!PtJ$VAEYMr_MmUBRiF~{SGRa}X)V~e TPN3JfK?G{gw3I6qU%vY