How to Debug a zap-extension ?

We already know, how to debug a standalone application using IDE like IntelliJ IDEA, In debugging a developer can see how the application execution flow happens, but in an application like ZAP, when developing an extension, we cannot do the debugging directly. The reason is, we have to develop the extension separately and when testing the extension, we have to install the extension inside the ZAP. So how can the fault be traced down if something went wrong during the extension development?

This tutorial shows how to debug a zap-extension using the remote debugging feature of the Java Virtual Machine

  1. Open the zaproxy[1] project in Intelij, go to Edit Configurations and go to Run/Debug Configurations

2. In Run/Debug Configurations In Add New Configuration, add the Application as an option

3. Provide a Name for the Application, Configure the Main class with ZAP.java[2] , Configure the VM options with the below arguments

-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=localhost:5005

Specify the JRE, and press Apply

4. Now Open the zap-extension[3] in another window, go to Edit Configurations and go to Run/Debug Configurations as shown in 2, Select the Remote

5. Add the Host and Port in the Configurations, since zap is configured with localhost:5005, we have to configure the zap-extension with the same inputs and click Apply

6. Now in the zap-extension project build the add-on (Generated Add-on will be available under zap-extensions/build/zap-exts folder), then copy the add-on to the /home/<NAME>/.ZAP_D/plugin folder or else you can later upload the add-on to ZAP in the ZAP UI by using Load Add-on File inside the File option.

7. Now Go to the zaproxy, and Run(not debug) the ZAP(ZAP.java) you have configured. When the ZAP starts in debugging mode successfully, a message should appear in the IDEA run window indicating that it is listening for a transport connection.

8. Now go and start the zap-extensions in the debug mode. You will see, ZAP which was waiting to connect to the port you have specified will start its execution.

Now the zap-extension is ready to be debugged. Put breakpoints inside the zap-extensions code in the usual way and invoke the operations that have to be done by the extension in ZAP. As soon as the execution hits a line with a break point the debugger becomes active.

References

[1] https://github.com/zaproxy
[2] https://github.com/zaproxy/zaproxy/blob/develop/src/org/zaproxy/zap/ZAP.java
[3] https://github.com/zaproxy/zap-extensions