Sending Auth token via replacer

已查看 41 次
跳至第一个未读帖子

Venkata Subrahmanyam

未读,
2021年2月2日 07:10:312021/2/2
收件人 zaproxy...@googlegroups.com
Hello, 

I have created separate Authentication scripts in Python and am extracting token using Python POST requests. I am passing these for authentication using zap.replacer function.

My question is - would this be an effective way of performing an authenticated spider and active scans since I am not using ZAP core modules but rather setting the token separately before initiating Spider and Active scan?

Thank you, 
Venkat

This mail is governed by the Disclaimer Terms of  SIU which may be viewed at http://siu.edu.in/disclaimer.php

psiinon

未读,
2021年2月2日 08:47:512021/2/2
收件人 OWASP ZAP Developer Group
Yes, that should be fine.
If you have access to the token before starting ZAP then you can get ZAP to use it via one or more environmental variables as per https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

Cheers,

Simon

Venkata Subrahmanyam

未读,
2021年2月2日 16:57:002021/2/2
收件人 zaproxy...@googlegroups.com
Perfect. One follow-up question, the 'id' parameter in setAttackStrength API refers to? I could not find the corresponding documentation on the website. I do not remember setting that parameter from the GUI though. 

https://github.com/zaproxy/zaproxy/issues/1386 does not explain either. 

Thank you, 
Venkat

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/5db2b3d7-dbc1-4f37-8279-67d0bdc7a99bn%40googlegroups.com.

psiinon

未读,
2021年2月3日 07:43:472021/2/3
收件人 OWASP ZAP Developer Group
That is the identifier for the scan rule, as per https://www.zaproxy.org/docs/alerts/

Cheers,

Simon

Venkata Subrahmanyam

未读,
2021年2月4日 00:30:402021/2/4
收件人 zaproxy...@googlegroups.com
Thank you. Is there an 'id' to set for all scan rules by default?

psiinon

未读,
2021年2月4日 04:36:292021/2/4
收件人 OWASP ZAP Developer Group

Venkata Subrahmanyam

未读,
2021年2月10日 16:03:152021/2/10
收件人 zaproxy...@googlegroups.com
Hello, 

Just an observation I have had, sometimes, the GUI gives reports differently than whilst running from API calls and the report numbers differ than what is reported in the API call (alertssummary). Happens when we aren't changing any configuration settings. Is there something I am missing to pick up here?

Virus-free. www.avast.com


Virus-free. www.avast.com

psiinon

未读,
2021年2月11日 04:28:292021/2/11
收件人 OWASP ZAP Developer Group
ZAP scans are not deterministic I'm afraid, these can happen if you just use the desktop or just use the API as well.
There are too many subtle differences that can happen when scanning a real application.
However the results should stay mostly consistant.

Cheers,

Simon
回复全部
回复作者
转发
0 个新帖子