Merge pull request #6253 from thc202/authhelper/diags-storage

authhelper: record/report local/session storage

Author: kingthorin

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthenticationDiagnostics.java

@@ -21,6 +21,7 @@
 
 import java.time.Instant;
 import java.util.List;
+import java.util.Map;
 import javax.jdo.PersistenceManager;
 import javax.jdo.Transaction;
 import org.apache.logging.log4j.LogManager;
@@ -39,6 +40,7 @@
 import org.parosproxy.paros.network.HttpMessage;
 import org.parosproxy.paros.network.HttpSender;
 import org.zaproxy.addon.authhelper.internal.db.Diagnostic;
+import org.zaproxy.addon.authhelper.internal.db.DiagnosticBrowserStorageItem;
 import org.zaproxy.addon.authhelper.internal.db.DiagnosticMessage;
 import org.zaproxy.addon.authhelper.internal.db.DiagnosticScreenshot;
 import org.zaproxy.addon.authhelper.internal.db.DiagnosticStep;
@@ -199,9 +201,37 @@ public void recordStep(WebDriver wd, String description, WebElement element) {
             }
         }
 
+        if (wd instanceof JavascriptExecutor je) {
+            for (var type : DiagnosticBrowserStorageItem.Type.values()) {
+                processStorage(je, type);
+            }
+        }
+
         createStep();
     }
 
+    private <T> void processStorage(JavascriptExecutor je, DiagnosticBrowserStorageItem.Type type) {
+        @SuppressWarnings("unchecked")
+        List<Map<String, String>> storage =
+                (List<Map<String, String>>) je.executeScript(type.getScript());
+        if (storage == null || storage.isEmpty()) {
+            return;
+        }
+
+        storage.stream()
+                .map(
+                        e -> {
+                            DiagnosticBrowserStorageItem item = new DiagnosticBrowserStorageItem();
+                            item.setCreateTimestamp(Instant.now());
+                            item.setStep(currentStep);
+                            item.setType(type);
+                            item.setKey(e.get("key"));
+                            item.setValue(e.get("value"));
+                            return item;
+                        })
+                .forEach(currentStep.getBrowserStorageItems()::add);
+    }
+
     private DiagnosticWebElement createDiagnosticWebElement(
             WebDriver wd, List<WebElement> forms, WebElement element) {
         if (element == null) {

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/internal/db/DiagnosticBrowserStorageItem.java

@@ -0,0 +1,79 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2025 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.authhelper.internal.db;
+
+import java.time.Instant;
+import javax.jdo.annotations.Cacheable;
+import javax.jdo.annotations.Column;
+import javax.jdo.annotations.IdGeneratorStrategy;
+import javax.jdo.annotations.PersistenceCapable;
+import javax.jdo.annotations.Persistent;
+import javax.jdo.annotations.PrimaryKey;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@NoArgsConstructor
+@Cacheable("false")
+@PersistenceCapable(table = "AUTHHELPER_DIAGNOSTIC_BROWSER_STORAGE_ITEM", detachable = "true")
+public class DiagnosticBrowserStorageItem {
+
+    private static final String STORAGE_SCRIPT =
+            """
+            const data = [];
+            for (let i = 0; i < STORAGE.length; i++) {
+                data.push({"key": STORAGE.key(i), "value": STORAGE.getItem(STORAGE.key(i))});
+            }
+            return data;
+            """;
+
+    public enum Type {
+        LOCAL(STORAGE_SCRIPT.replace("STORAGE", "window.localStorage")),
+        SESSION(STORAGE_SCRIPT.replace("STORAGE", "sessionStorage"));
+
+        private String script;
+
+        Type(String script) {
+            this.script = script;
+        }
+
+        public String getScript() {
+            return script;
+        }
+    }
+
+    private Instant createTimestamp;
+
+    @PrimaryKey
+    @Persistent(valueStrategy = IdGeneratorStrategy.IDENTITY)
+    private int id;
+
+    @Column(name = "STEPID")
+    private DiagnosticStep step;
+
+    @Column(jdbcType = "INTEGER")
+    private Type type;
+
+    @Column(length = 4096)
+    private String key;
+
+    @Column(length = 65536)
+    private String value;
+}

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/internal/db/DiagnosticStep.java

@@ -22,6 +22,7 @@
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.stream.Stream;
 import javax.jdo.annotations.Cacheable;
 import javax.jdo.annotations.Column;
 import javax.jdo.annotations.Element;
@@ -71,7 +72,24 @@ public class DiagnosticStep {
     @Order(column = "NUMBER")
     private List<DiagnosticWebElement> webElements = new ArrayList<>();
 
+    @Order(column = "NUMBER")
+    @Persistent(mappedBy = "step")
+    private List<DiagnosticBrowserStorageItem> browserStorageItems = new ArrayList<>();
+
     public DiagnosticStep(String description) {
         this.description = description;
     }
+
+    public Stream<DiagnosticBrowserStorageItem> getBrowserLocalStorage() {
+        return getBrowerStorage(DiagnosticBrowserStorageItem.Type.LOCAL);
+    }
+
+    public Stream<DiagnosticBrowserStorageItem> getBrowserSessionStorage() {
+        return getBrowerStorage(DiagnosticBrowserStorageItem.Type.SESSION);
+    }
+
+    private Stream<DiagnosticBrowserStorageItem> getBrowerStorage(
+            DiagnosticBrowserStorageItem.Type type) {
+        return browserStorageItems.stream().filter(e -> e.getType() == type);
+    }
 }

addOns/authhelper/src/main/resources/META-INF/persistence.xml

@@ -6,6 +6,7 @@
 
     <persistence-unit name="authhelper">
         <class>org.zaproxy.addon.authhelper.internal.db.Diagnostic</class>
+        <class>org.zaproxy.addon.authhelper.internal.db.DiagnosticBrowserStorageItem</class>
         <class>org.zaproxy.addon.authhelper.internal.db.DiagnosticMessage</class>
         <class>org.zaproxy.addon.authhelper.internal.db.DiagnosticScreenshot</class>
         <class>org.zaproxy.addon.authhelper.internal.db.DiagnosticStep</class>

addOns/authhelper/src/main/resources/db/migration/V2__Create_storage_tables.sql

@@ -0,0 +1,13 @@
+
+CREATE CACHED TABLE IF NOT EXISTS "AUTHHELPER_DIAGNOSTIC_BROWSER_STORAGE_ITEM" (
+    "CREATETIMESTAMP" TIMESTAMP NULL,
+    "ID" BIGINT GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
+    "STEPID" BIGINT NOT NULL,
+    "TYPE" INTEGER NOT NULL,
+    "NUMBER" BIGINT NOT NULL,
+    "KEY" VARCHAR(4096) NOT NULL,
+    "VALUE" VARCHAR(65536) NULL,
+);
+
+CREATE INDEX "AUTHHELPER_DIAGNOSTIC_BROWSER_STORAGE_ITEM_STEPID_IDX" ON "AUTHHELPER_DIAGNOSTIC_BROWSER_STORAGE_ITEM" ("STEPID");
+

addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/Messages.properties

@@ -1,8 +1,10 @@
 report.template.invalid = There were no contexts or sites identified with relevant authentication data configured.
 report.template.section.afenv = Automation Framework Environment
 report.template.section.diagnostics = Diagnostics
+report.template.section.diagnosticslocalstorage = Local Storage for Diagnostics
 report.template.section.diagnosticsmessages = HTTP Messages for Diagnostics
 report.template.section.diagnosticsscreenshots = Screenshots for Diagnostics
+report.template.section.diagnosticssessionstorage = Session Storage for Diagnostics
 report.template.section.diagnosticswebelements = Web Elements for Diagnostics
 report.template.section.statistics = Statistics
 report.template.section.summary = Summary

addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/report.json

@@ -63,7 +63,21 @@
 						}[/th:block]
 					][/th:block][#th:block th:if="${reportData.isIncludeSection('diagnosticsscreenshots') && step.screenshot}" th:with="screenshot=${step.screenshot}"]
 					,"screenshot": [[${screenshot.data}]]
-					[/th:block][#th:block th:if="${reportData.isIncludeSection('diagnosticsmessages')}" th:with="messages=${step.messages}"]
+					[/th:block][#th:block th:if="${reportData.isIncludeSection('diagnosticslocalstorage')}" th:with="storage=${step.getBrowserLocalStorage()}"]
+					,"localStorage": [[#th:block th:each="entry, state: ${storage}"][#th:block th:if="${! state.first}"],[/th:block]
+						{
+							"created": [[${entry.createTimestamp}]],
+							"key": [[${entry.key}]],
+							"value": [[${entry.value}]]
+						}[/th:block]
+					][/th:block][#th:block th:if="${reportData.isIncludeSection('diagnosticssessionstorage')}" th:with="storage=${step.getBrowserSessionStorage()}"]
+					,"sessionStorage": [[#th:block th:each="entry, state: ${storage}"][#th:block th:if="${! state.first}"],[/th:block]
+						{
+							"created": [[${entry.createTimestamp}]],
+							"key": [[${entry.key}]],
+							"value": [[${entry.value}]]
+						}[/th:block]
+					][/th:block][#th:block th:if="${reportData.isIncludeSection('diagnosticsmessages')}" th:with="messages=${step.messages}"]
 					,"messages": [[#th:block th:each="entry, state: ${messages}" th:with="message=${helper.getHttpMessage(entry.messageId)}"][#th:block th:if="${! state.first}"],[/th:block]
 						{[#th:block th:if="${message}"]
 							"created": [[${entry.createTimestamp}]],

addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/template.yaml

@@ -10,3 +10,5 @@ sections:
  - diagnosticsmessages
  - diagnosticsscreenshots
  - diagnosticswebelements
+ - diagnosticslocalstorage
+ - diagnosticssessionstorage