Automation: Authenticated API scanning with Bearer token

98 views
Skip to first unread message

j2 c

unread,
Jul 10, 2023, 3:22:59 PM7/10/23
to OWASP ZAP User Group
Hello

I do apologize if this is a redundant question.  I want to automate authenticated API scanning with headless ZAP.

There is a login API where I get the OAuth2 Authorization token.  I need to put that value in the Authorization header of the API request for headless ZAP for authenticated scanning.  How can I do that?

Screenshot 2023-07-10 at 3.20.08 PM.png

psiinon

unread,
Jul 11, 2023, 3:39:14 AM7/11/23
to zaprox...@googlegroups.com
We have various options - see https://www.zaproxy.org/docs/authentication/

If you have a login page then we have another option, but I'm guessing that as this is an API you might not have one?

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/85feeb24-5a23-4bd1-98a8-1f18e8f9ea69n%40googlegroups.com.


--
OWASP ZAP Project leader

j2 c

unread,
Jul 11, 2023, 11:41:19 AM7/11/23
to OWASP ZAP User Group
I found this thread to be very helpful.  @simon, thank you for responding.
Reply all
Reply to author
Forward
0 new messages