Authentication Header via ENV Vars
1,250 views
Skip to first unread message
Gaurav Das
May 21, 2021, 3:19:31 AM5/21/21
to OWASP ZAP User Group
Hi,
I am using ZAP_AUTH_HEADER_VALUE, ZAP_AUTH_HEADER env variable to set my authentication and running ZAP in command line mode( java -jar ZAP.jar -quickurl $url).
But, It's not working. Could you please help me regarding that?
Thanks
Simon Bennetts
May 21, 2021, 4:25:12 AM5/21/21
to OWASP ZAP User Group
Hiya,
First of all - thats not a supported way of running ZAP - you should use either zap.sh or zap.bat as per https://www.zaproxy.org/faq/how-can-you-start-zap/
Secondly - whats not working?
ZAP? The headers?
Try again using one of the scripts and then give us much more details :)
Cheers,
Simon
Gaurav Das
May 24, 2021, 2:28:44 AM5/24/21
to OWASP ZAP User Group
Hi Simon,
Actually , I want to run ZAP test on an API URL. That API URL needs to be authenticated first using authentication bearer token and few other user defined headers in order to run ZAP.
I am looking for a possible way to achieve this via ZAP.
Could you please suggest me a best possible way in this scenario?
Thanks and Regards,
Gaurav
Simon Bennetts
May 24, 2021, 7:15:01 AM5/24/21
to OWASP ZAP User Group
Hi Gaurav,
If we were talking about just one header then the env vars would be ideal, but they only handle one header.
Your best option is to write an HttpSender script which adds all of the headers you need.
Have a look at these examples - the Python one does what you want but Python support is not included by default, so rewriting in in JavaScript might be better:
Test your script in the ZAP Desktop first. Then you can add it to ZAP as per https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/ for automation.
Cheers,
Simon
Gaurav Das
May 31, 2021, 4:48:12 AM5/31/21
to OWASP ZAP User Group
Hi Simon,
Thanks for your help. The above suggestions did work well for our automation.
Currently, we want to run ZAP for more than one Rest APIs. We are following MVC architecture to build our Rest API.
The Rest APIs are configured under controller class where views are being used for logical to physical URL mapping.
So the Traditional Spider is not fetching all the Rest API URLs.
Is there any workaround or any better way like scripting if you can suggest, would be very much helpful.
Again, Thanks for your help.
Regards,
Gaurav
Simon Bennetts
Jun 1, 2021, 4:43:55 AM6/1/21
to OWASP ZAP User Group
Hi Gaurav,
The Traditional Spider follows links. If your app does not provide those links then that spider will not work very well.
However we know nothing about your app, so, over to you - what does your app provide which will let a tool like ZAP find all of the API endpoints?
Does it provide an API definition eg in OpenAPI / Swagger, SOAP, GraphQL?
Have a look at the "Exploring Applications : Other Ways" video on https://www.zaproxy.org/zap-deep-dive/
Cheers,
Simon
Gaurav Das
Mar 1, 2022, 10:21:56 PM3/1/22
to zaprox...@googlegroups.com, notifyanu...@gmail.com
Hi Simon,
Thanks for all your help.
We have added openapi addon in our ZAP application.
We want to hit all the urls from openapi definition file using ZAP command line option. we have already referred the below document
But we are not able to see any progress after running the command. We aren't even sure if the command is working at all.Also, If possible, could you please share any sample repo or command to show how this can be achieved.
Thanks and Regards,
Gaurav
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/U9Yla0bArtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/264ae148-9183-491f-821e-f3efc3b08bb0n%40googlegroups.com.
Richard DAmelio
Mar 2, 2022, 5:58:55 PM3/2/22
to OWASP ZAP User Group
Hi,
I need to get a token from one site and use that token in another site and the token needs to be added to all the headers.
I've seen you use scripts to do something similar but it was only on one site and not 2 sites.
Is this supported and if so what is the best way to implement this.
Also the token expires within 30 minutes so I'll need to re-get the token since my scan will take longer then 30 minutes.
I need to get a token from one site and use that token in another site and the token needs to be added to all the headers.
I've seen you use scripts to do something similar but it was only on one site and not 2 sites.
Is this supported and if so what is the best way to implement this.
Also the token expires within 30 minutes so I'll need to re-get the token since my scan will take longer then 30 minutes.
Simon Bennetts
Mar 3, 2022, 4:39:24 AM3/3/22
to OWASP ZAP User Group
ZAP scripts are really powerful and so should be able to handle any situation like this.
However this thread was explicitly about authentication headers using env vars - you wont be able to use them in this more complicated scenario.
Start a new conversation in this group and try to explain exactly what requests need to be made and what you need to do with them, eg
- Make request to https://www.example1.com passing in a set of credentials
- Extract a token from the JSON response
- Make request to https://www.example2.com passing in the above token
- ...
Cheers,
Simon
Simon Bennetts
Mar 3, 2022, 12:07:07 PM3/3/22
to OWASP ZAP User Group
Hi Gaurav,
Are you trying to automate ZAP scanning of your openapi definition?
If so then I'd recommend you look at the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/
The ZAP command line is very limited - the AF is much more flexible and powerful.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages