Unable to Authenticate using options.prop

18 views
Skip to first unread message

Vanya Kashyap

unread,
Jun 30, 2022, 4:44:49 AMJun 30
to OWASP ZAP User Group
I am using the below command to test a authenticated endpoint. I am running Zap inside a podman container:

podman run -v /dest/folder/zap:/zap/wrk/:rw  owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -z "-configfile /zap/wrk/options.prop" -r test-report.html

The options.prop looks like below and is located at  "/dest/folder/zap" and also at" /" and "/root" directory as the documentation was not clear :

-config replacer.full_list\\(0\\).description="Auth Header" -config replacer.full_list\\(0\\).enabled=true -config replacer.full_list\\(0\\).matchtype=REQ_HEADER -config replacer.full_list\\(0\\).matchstr=Authorization  -config replacer.full_list\\(0\\).regex=false -config replacer.full_list\\(0\\).replacement="Bearer accessTokenHere" -config replacer.full_list\\(1\\).description="Auth Header" -config replacer.full_list\\(1\\).enabled=true -config replacer.full_list\\(1\\).matchtype=REQ_HEADER -config replacer.full_list\\(1\\).matchstr=Accept -config replacer.full_list\\(1\\).regex=false -config replacer.full_list\\(1\\).replacement=application/json


The test passes with zero warnings.

FAIL-NEW: 0     FAIL-INPROG: 0  WARN-NEW: 0     WARN-INPROG: 0  INFO: 0 IGNORE: 0       PASS: 33

I am not able to see any other logs except for the ones in console and the application logs show 401 Unauthorized.

 I think the options .prop is not getting picked up. I have tried passing the -z options as below:

-z "-configfile /zap/wrk/options.prop"  
-z options.prop
-z /zap/wrk/options.prop
-z /dest/folder/zap/options.prop
and also as all content from the prop file to -z like this: 
-z "-config aaa=bbb -config ccc=ddd"

Nothing is working as the Bearer token is still not getting picked up.

Any pointers here please.


thc...@gmail.com

unread,
Jun 30, 2022, 4:49:26 AMJun 30
to zaprox...@googlegroups.com
Hi.

The entries in the file are not correct, it should not use -config and
has unnecessary escapes.

There's an example of what it should look like in:
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Best regards.

Vanya Kashyap

unread,
Jun 30, 2022, 5:36:43 AMJun 30
to OWASP ZAP User Group
Thank you for the prompt response.

I tried after removing the escapes and now the request is timing out with error in the attached file. 
Tried by putting the config inline and within a file named conf. The argument in bold as suggested by the documentation throws this error:

podman run -v /dest/folder/zap:/zap/wrk/:rw  owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -configfile conf -r test-report.html

So I use the above command instead and now the request simply times out:

2022-06-30 11:12:53,782 Using port: 55614
Traceback (most recent call last):
  File "/zap/zap-baseline.py", line 655, in <module>
    main(sys.argv[1:])
  File "/zap/zap-baseline.py", line 310, in main
    with open(base_dir + config_file) as f:
FileNotFoundError: [Errno 2] No such file or directory: '/zap/wrk/onfigfile'


And I use this command instead:

podman run -v /dest/folder/zap:/zap/wrk/:rw  owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -z -configfile conf -r test-report.html

Thank you!!
Capture.PNG

thc...@gmail.com

unread,
Jun 30, 2022, 5:45:12 AMJun 30
to zaprox...@googlegroups.com
That documentation is if you are calling ZAP directly, with packaged
scans you need to use the -z.

You still need to pass the args with the quotes:
-z "-configfile conf"


Best regards.

On 30/06/2022 10:36, Vanya Kashyap wrote:
> Thank you for the prompt response.
>
> I tried after removing the escapes and now the request is timing out with
> error in the attached file.
> Tried by putting the config inline and within a file named conf. The
> argument in bold as suggested by the documentation throws this error:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> zap-baseline.py -d -t https://securedhost.com/api/path/v1/ *-configfile
> conf* -r test-report.html
>
> So I use the above command instead and now the request simply times out:
>
>
>
>
>
>
>
> *2022-06-30 11:12:53,782 Using port: 55614Traceback (most recent call
> last): File "/zap/zap-baseline.py", line 655, in <module>
> main(sys.argv[1:]) File "/zap/zap-baseline.py", line 310, in main with
> open(base_dir + config_file) as f:FileNotFoundError: [Errno 2] No such file
> or directory: '/zap/wrk/onfigfile'*
>
> And I use this command instead:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> zap-baseline.py -d -t https://securedhost.com/api/path/v1/ *-z* *-configfile
> conf* -r test-report.html
Reply all
Reply to author
Forward
0 new messages