Unable to Authenticate using options.prop
110 views
Skip to first unread message
Vanya Kashyap
Jun 30, 2022, 4:44:49 AM6/30/22
to OWASP ZAP User Group
I am using the below command to test a authenticated endpoint. I am running Zap inside a podman container:
podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -z "-configfile /zap/wrk/options.prop" -r test-report.html
The options.prop looks like below and is located at "/dest/folder/zap" and also at" /" and "/root" directory as the documentation was not clear :
-config replacer.full_list\\(0\\).description="Auth Header" -config replacer.full_list\\(0\\).enabled=true -config replacer.full_list\\(0\\).matchtype=REQ_HEADER -config replacer.full_list\\(0\\).matchstr=Authorization -config replacer.full_list\\(0\\).regex=false -config replacer.full_list\\(0\\).replacement="Bearer accessTokenHere" -config replacer.full_list\\(1\\).description="Auth Header" -config replacer.full_list\\(1\\).enabled=true -config replacer.full_list\\(1\\).matchtype=REQ_HEADER -config replacer.full_list\\(1\\).matchstr=Accept -config replacer.full_list\\(1\\).regex=false -config replacer.full_list\\(1\\).replacement=application/json
-config replacer.full_list\\(0\\).description="Auth Header" -config replacer.full_list\\(0\\).enabled=true -config replacer.full_list\\(0\\).matchtype=REQ_HEADER -config replacer.full_list\\(0\\).matchstr=Authorization -config replacer.full_list\\(0\\).regex=false -config replacer.full_list\\(0\\).replacement="Bearer accessTokenHere" -config replacer.full_list\\(1\\).description="Auth Header" -config replacer.full_list\\(1\\).enabled=true -config replacer.full_list\\(1\\).matchtype=REQ_HEADER -config replacer.full_list\\(1\\).matchstr=Accept -config replacer.full_list\\(1\\).regex=false -config replacer.full_list\\(1\\).replacement=application/json
The test passes with zero warnings.
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 33
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 33
I am not able to see any other logs except for the ones in console and the application logs show 401 Unauthorized.
I think the options .prop is not getting picked up. I have tried passing the -z options as below:
-z "-configfile /zap/wrk/options.prop"
-z options.prop
-z /zap/wrk/options.prop
-z /dest/folder/zap/options.prop
and also as all content from the prop file to -z like this:
-z "-config aaa=bbb -config ccc=ddd"
Nothing is working as the Bearer token is still not getting picked up.
Any pointers here please.
thc...@gmail.com
Jun 30, 2022, 4:49:26 AM6/30/22
to zaprox...@googlegroups.com
Hi.
The entries in the file are not correct, it should not use -config and
has unnecessary escapes.
There's an example of what it should look like in:
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
The entries in the file are not correct, it should not use -config and
has unnecessary escapes.
There's an example of what it should look like in:
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
Vanya Kashyap
Jun 30, 2022, 5:36:43 AM6/30/22
to OWASP ZAP User Group
Thank you for the prompt response.
I tried after removing the escapes and now the request is timing out with error in the attached file.
Tried by putting the config inline and within a file named conf. The argument in bold as suggested by the documentation throws this error:
podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -configfile conf -r test-report.html
So I use the above command instead and now the request simply times out:
2022-06-30 11:12:53,782 Using port: 55614
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 655, in <module>
main(sys.argv[1:])
File "/zap/zap-baseline.py", line 310, in main
with open(base_dir + config_file) as f:
FileNotFoundError: [Errno 2] No such file or directory: '/zap/wrk/onfigfile'
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 655, in <module>
main(sys.argv[1:])
File "/zap/zap-baseline.py", line 310, in main
with open(base_dir + config_file) as f:
FileNotFoundError: [Errno 2] No such file or directory: '/zap/wrk/onfigfile'
And I use this command instead:
podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable zap-baseline.py -d -t https://securedhost.com/api/path/v1/ -z -configfile conf -r test-report.html
Thank you!!
thc...@gmail.com
Jun 30, 2022, 5:45:12 AM6/30/22
to zaprox...@googlegroups.com
That documentation is if you are calling ZAP directly, with packaged
scans you need to use the -z.
You still need to pass the args with the quotes:
-z "-configfile conf"
Best regards.
On 30/06/2022 10:36, Vanya Kashyap wrote:
> Thank you for the prompt response.
>
> I tried after removing the escapes and now the request is timing out with
> error in the attached file.
> Tried by putting the config inline and within a file named conf. The
> argument in bold as suggested by the documentation throws this error:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> zap-baseline.py -d -t https://securedhost.com/api/path/v1/ *-configfile
> conf* -r test-report.html
> conf* -r test-report.html
scans you need to use the -z.
You still need to pass the args with the quotes:
-z "-configfile conf"
Best regards.
On 30/06/2022 10:36, Vanya Kashyap wrote:
> Thank you for the prompt response.
>
> I tried after removing the escapes and now the request is timing out with
> error in the attached file.
> Tried by putting the config inline and within a file named conf. The
> argument in bold as suggested by the documentation throws this error:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> conf* -r test-report.html
>
> So I use the above command instead and now the request simply times out:
>
>
>
>
>
>
>
> *2022-06-30 11:12:53,782 Using port: 55614Traceback (most recent call
> So I use the above command instead and now the request simply times out:
>
>
>
>
>
>
>
> last): File "/zap/zap-baseline.py", line 655, in <module>
> main(sys.argv[1:]) File "/zap/zap-baseline.py", line 310, in main with
> open(base_dir + config_file) as f:FileNotFoundError: [Errno 2] No such file
> or directory: '/zap/wrk/onfigfile'*
> main(sys.argv[1:]) File "/zap/zap-baseline.py", line 310, in main with
> open(base_dir + config_file) as f:FileNotFoundError: [Errno 2] No such file
>
> And I use this command instead:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> zap-baseline.py -d -t https://securedhost.com/api/path/v1/ *-z* *-configfile
> And I use this command instead:
>
> podman run -v /dest/folder/zap:/zap/wrk/:rw owasp/zap2docker-stable
> conf* -r test-report.html
Reply all
Reply to author
Forward
0 new messages