Automation Framework - How to Pass Header value to the API
177 views
Skip to first unread message
Hardik Shah
Feb 18, 2022, 5:28:49 AM2/18/22
to OWASP ZAP Developer Group
Dear Team,
We are right now trying to evaluate the ZAP Tool. Till now it is looking very handy.
Great to have this tool.
Current Version of ZAP: 2.11.1
I am trying to use the new Automation Framework for deployment. Below is the scenario
1. I am having an api : https://xxx.com/external/test/demo/1
2. This needs an header to be passed with a combination of key and value.
3. This was possible with the Replacer in the options in the GUI tool. But If you could help me with how do i pass this in the YML file. The YML file is as below
---
env:
contexts:
- name: "Default Context"
urls:
- "https://xxx.com/external/test/demo/1"
includePaths:
- " https://xxx.com/external/test/demo/1.*"
excludePaths: []
authentication:
parameters:[]
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars:
Header-Key: "Header-Value"
jobs:
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context: "Default Context"
user: ""
url: " https://xxx.com/external/test/demo/1 "
maxDuration: 0
maxDepth: 0
maxChildren: 0
name: "spider"
type: "spider"
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
name: "At least 100 URLs found"
type: "stats"
- parameters:
context: "Default Context"
user: ""
url: " https://xxx.com/external/test/demo/1 "
maxDuration: 0
maxCrawlDepth: 0
numberOfBrowsers: 0
name: "spiderAjax"
type: "spiderAjax"
tests:
- onFail: "INFO"
statistic: "spiderAjax.urls.added"
site: ""
operator: ">="
value: 100
name: "At least 100 URLs found"
type: "stats"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
context: "Default Context"
user: ""
policy: ""
maxRuleDurationInMins: 0
maxScanDurationInMins: 0
policyDefinition:
defaultStrength: "medium"
defaultThreshold: "medium"
rules: []
name: "activeScan"
type: "activeScan"
- parameters:
template: "risk-confidence-html"
theme: "original"
reportDir: "C:\\ZAPReports"
reportFile: "ZAP-Report-api.test"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
displayReport: false
risks:
- "info"
- "low"
- "medium"
- "high"
confidences:
- "falsepositive"
- "low"
- "medium"
- "high"
- "confirmed"
sections:
- "siteRiskCounts"
- "responseBody"
- "appendix"
- "alertTypes"
- "responseHeader"
- "alertTypeCounts"
- "riskConfidenceCounts"
- "alerts"
- "aboutThisReport"
- "contents"
- "requestBody"
- "reportDescription"
- "reportParameters"
- "requestHeader"
- "summaries"
name: "ZAP-Report-api.test"
type: "report"
env:
contexts:
- name: "Default Context"
urls:
- "https://xxx.com/external/test/demo/1"
includePaths:
- " https://xxx.com/external/test/demo/1.*"
excludePaths: []
authentication:
parameters:[]
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars:
Header-Key: "Header-Value"
jobs:
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context: "Default Context"
user: ""
url: " https://xxx.com/external/test/demo/1 "
maxDuration: 0
maxDepth: 0
maxChildren: 0
name: "spider"
type: "spider"
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
name: "At least 100 URLs found"
type: "stats"
- parameters:
context: "Default Context"
user: ""
url: " https://xxx.com/external/test/demo/1 "
maxDuration: 0
maxCrawlDepth: 0
numberOfBrowsers: 0
name: "spiderAjax"
type: "spiderAjax"
tests:
- onFail: "INFO"
statistic: "spiderAjax.urls.added"
site: ""
operator: ">="
value: 100
name: "At least 100 URLs found"
type: "stats"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
context: "Default Context"
user: ""
policy: ""
maxRuleDurationInMins: 0
maxScanDurationInMins: 0
policyDefinition:
defaultStrength: "medium"
defaultThreshold: "medium"
rules: []
name: "activeScan"
type: "activeScan"
- parameters:
template: "risk-confidence-html"
theme: "original"
reportDir: "C:\\ZAPReports"
reportFile: "ZAP-Report-api.test"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
displayReport: false
risks:
- "info"
- "low"
- "medium"
- "high"
confidences:
- "falsepositive"
- "low"
- "medium"
- "high"
- "confirmed"
sections:
- "siteRiskCounts"
- "responseBody"
- "appendix"
- "alertTypes"
- "responseHeader"
- "alertTypeCounts"
- "riskConfidenceCounts"
- "alerts"
- "aboutThisReport"
- "contents"
- "requestBody"
- "reportDescription"
- "reportParameters"
- "requestHeader"
- "summaries"
name: "ZAP-Report-api.test"
type: "report"
Hardik Shah
Feb 24, 2022, 6:03:14 AM2/24/22
to OWASP ZAP Developer Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Dear Team,
Appreciate your help. Please suggest.
psiinon
Feb 24, 2022, 6:10:52 AM2/24/22
to OWASP ZAP Developer Group
Sorry, was on my list to answer :/
The Automation Framework (AF) does not currently support the Replacer, but we do have a work around.
You can use the standard ZAP authentication environmental variables: https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
Note that these should _not_ be defined in the AF yaml file as per https://www.zaproxy.org/docs/desktop/addons/automation-framework/authentication/ or they will just be ignored.
Cheers,
Simon
Hardik Shah
Feb 27, 2022, 10:59:22 PM2/27/22
to OWASP ZAP Developer Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thank You
I will try and definitely let you know.
Reply all
Reply to author
Forward
0 new messages