Sending Auth token via replacer
41 views
Skip to first unread message
Venkata Subrahmanyam
Feb 2, 2021, 7:10:31 AM2/2/21
to zaproxy...@googlegroups.com
Hello,
I have created separate Authentication scripts in Python and am extracting token using Python POST requests. I am passing these for authentication using zap.replacer function.
My question is - would this be an effective way of performing an authenticated spider and active scans since I am not using ZAP core modules but rather setting the token separately before initiating Spider and Active scan?
Thank you,
Venkat
I have created separate Authentication scripts in Python and am extracting token using Python POST requests. I am passing these for authentication using zap.replacer function.
My question is - would this be an effective way of performing an authenticated spider and active scans since I am not using ZAP core modules but rather setting the token separately before initiating Spider and Active scan?
Thank you,
Venkat
This mail is governed by the Disclaimer Terms of SIU which may be viewed at http://siu.edu.in/disclaimer.php
psiinon
Feb 2, 2021, 8:47:51 AM2/2/21
to OWASP ZAP Developer Group
Yes, that should be fine.
If you have access to the token before starting ZAP then you can get ZAP to use it via one or more environmental variables as per https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars
Cheers,
Simon
Venkata Subrahmanyam
Feb 2, 2021, 4:57:00 PM2/2/21
to zaproxy...@googlegroups.com
Perfect. One follow-up question, the 'id' parameter in setAttackStrength API refers to? I could not find the corresponding documentation on the website. I do not remember setting that parameter from the GUI though.
https://github.com/zaproxy/zaproxy/issues/1386 does not explain either.
https://github.com/zaproxy/zaproxy/issues/1386 does not explain either.
Thank you,
Venkat
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/5db2b3d7-dbc1-4f37-8279-67d0bdc7a99bn%40googlegroups.com.
psiinon
Feb 3, 2021, 7:43:47 AM2/3/21
to OWASP ZAP Developer Group
Venkata Subrahmanyam
Feb 4, 2021, 12:30:40 AM2/4/21
to zaproxy...@googlegroups.com
Thank you. Is there an 'id' to set for all scan rules by default?
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/86ceeb81-f0c7-424a-81bc-5406f25ee575n%40googlegroups.com.
psiinon
Feb 4, 2021, 4:36:29 AM2/4/21
to OWASP ZAP Developer Group
Yes, you to do that on a policy using https://www.zaproxy.org/docs/api/#ascanactionsetpolicyattackstrength
Venkata Subrahmanyam
Feb 10, 2021, 4:03:15 PM2/10/21
to zaproxy...@googlegroups.com
Hello,
Just an observation I have had, sometimes, the GUI gives reports differently than whilst running from API calls and the report numbers differ than what is reported in the API call (alertssummary). Happens when we aren't changing any configuration settings. Is there something I am missing to pick up here?
Just an observation I have had, sometimes, the GUI gives reports differently than whilst running from API calls and the report numbers differ than what is reported in the API call (alertssummary). Happens when we aren't changing any configuration settings. Is there something I am missing to pick up here?
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/9f718231-a947-438e-a89d-5c560a9a1c8en%40googlegroups.com.
psiinon
Feb 11, 2021, 4:28:29 AM2/11/21
to OWASP ZAP Developer Group
ZAP scans are not deterministic I'm afraid, these can happen if you just use the desktop or just use the API as well.
There are too many subtle differences that can happen when scanning a real application.
However the results should stay mostly consistant.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages