OWASP ZAP 2.12.0 - ZAP_AUTH_HEADER_VALUE not being used

[Porter Loring]

Was just trying out the latest release 2.12.0 and noticed none of my authenticated scans using the automation framework (not using the docker image) are note putting the environment variable value ZAP_AUTH_HEADER_VALUE into the Authorization header. 

After importing an OpenAPI definition and starting an active scan every request no longer has the Authorization Header:

Am I missing something with this release?

[Alen Huskic]

I am having the same issue. Any way to resolve it?

[Simon Bennetts]

Opps, looks like this one dropped through the net :(

I'm not aware of any issues.

What OS and version are you using?

Have you updated all of the ZAP add-ons?

Can you share the relevant fragments of the AF plan?

Was this working on 2.11?

Cheers,

Simon

[Alen Huskic]

Windows server 2016 (do not ask why :))

Yes, everything is updated.

Just a simple OpenAPi Automation scenario

I just checked version 2.11 and on that version, the Authorization header is included. So yes, 2.11 is working. 2.12 not.

I also tried running ZAP as administrator and normal user and the behaviour is the same (2.11 working, 2.12 not working)

Br,

Alen

[Simon Bennetts]

Can you share the relevant fragments of the AF plan?

I'll look at this, but not sure when.

If I use a different config from you and it works then you'll still need to tell me what your configs are and I'll need to find another slot in order to try that out.

If I can try it with your config then we can shortcut that possibility :)

Cheers,

Simon

[Alen Huskic]

Here you go

I tried it with different settings and URLs. Always the same behaviour.

[Alen Huskic]

Just to inform you, I tried it now on weekly build 2023-01-31 and  ZAP_AUTH_HEADER_VALUE is NOT located in HTTP requests. 

[Simon Bennetts]

I'll look into this ASAP.

Cheers,

Simon

[Simon Bennetts]

I've just tried a simple test on Linux and it worked for me :/

Can you try running the following attached AF plan which uses the attached script in the same environment you are having the problem in.

You will need to update the plan to refer to the script's absolute path (the PR #4379 will fix that;)

Ugh, I've had to rename the JS file as Groups wouldnt let me add it :/

As you'll see the plan just makes a single request to www.example.com

The script then prints out the headers for all of the requests and then the ZAP_AUTH_HEADER_VALUE env var.

In my case it output:

Got History record id 2 URL=https://www.example.com
GET https://www.example.com HTTP/1.1
authorization: This is a test
Host: www.example.com


env var This is a test
Job script finished
Automation plan succeeded!

Cheers,

Simon

[Alen Huskic]

Here are the results.

In header, there is no authorization, but the env var has been read by the script. ( I obfuscate token)

[Simon Bennetts]

Was that when running in the Desktop GUI?

I was testing on the command line where it works fine.

However it appears that there is a bug when the plan is run from the ZAP Desktop.

We'll look at that asap.

Can you confirm if it works when running the same plan from the command line?

You can do that using the ZAP command line options "-cmd -autorun test.yaml"

You may need to specify the full plan path on the command line.

Many thanks,

Simon

[Alen Huskic]

Yes, all my testing was done on Desktop GUI.

From CLI it works, so there is some bug in ZAP Desktop.

Br,

Alen

[Simon Bennetts]

Yep, we're looking at fixing this asap!

Cheers,

Simon

[Simon Bennetts]

This issue has been fixed in the latest version of the Automation Framework add-on: https://www.zaproxy.org/docs/desktop/addons/automation-framework/

Update that and it should now work correctly.

Cheers,

Simon

[Alen Huskic]

Nice :)

Thx for resolving fast the issue.