I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.
Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.
However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.
So, the questions are:
Thanks!
Hello, anyone there to give me some directions on the above?On Thursday, 24 June, 2021 at 3:50:18 pm UTC+5:30 Bhoj Raj Joshi wrote:I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.
Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.
However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.
So, the questions are:
- Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?
- Is there a way to send HttpSender script, or any other way, to put the token in each scan request?
Thanks!