Configuring custom headers for OWASP ZAP

I've been trying some bugbounty programs recently. I often alternate between using BurpSuite and ZAP. Many programs want you to add a custom header to your requests so the traffic can be identified, and in some cases, bypass some roadblocks. In this post, I'll show how to configure ZAP to add the custom header.

/images/zap-header/teaser.png

At first, I was pretty confused about how to do this. Through some googling and some github issue searching, I found the answer.

Step 1: Open the scripts pane. It may not be visible, so click the + icon next to sites.

/images/zap-header/scripts_pane_hidden.png

Step 2: Right click on "HTTP Sender" and create a new script. Choose the AddZapHeader.js as the template, check the enable box and add a description (optional)

/images/zap-header/script_new.png

Step 3: Edit the script to add the header(s) desired.

/images/zap-header/script_modify.png

Step 4: In the scripts pane, right click the script you created and click "save"

Step 5: Test it

/images/zap-header/script_test.png