zap-api-scan.py with custom request headers not working
436 views
Skip to first unread message
Abhijith Ganekal
Jan 11, 2023, 8:16:52 AM1/11/23
to OWASP ZAP User Group
Hi,
I am trying to run zap-api-scan.py and i need to add couple of request header with all request.
Command:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t <API URL> -f openapi -z "-configfile /zap/wrk/options.prop" -r api-active-scan-report.html
where prop file has
-config replacer.full_list\\(0\\).description=auth1 \
-config replacer.full_list\\(0\\).enabled=true \
-config replacer.full_list\\(0\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(0\\).matchstr=Authorization \
-config replacer.full_list\\(0\\).regex=false \
-config replacer.full_list\\(0\\).replacement=<token> \
-config replacer.full_list\\(1\\).description=auth2 \
-config replacer.full_list\\(1\\).enabled=true \
-config replacer.full_list\\(1\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(1\\).matchstr=x-api-key \
-config replacer.full_list\\(1\\).regex=false \
-config replacer.full_list\\(1\\).replacement=<value>
-config replacer.full_list\\(0\\).enabled=true \
-config replacer.full_list\\(0\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(0\\).matchstr=Authorization \
-config replacer.full_list\\(0\\).regex=false \
-config replacer.full_list\\(0\\).replacement=<token> \
-config replacer.full_list\\(1\\).description=auth2 \
-config replacer.full_list\\(1\\).enabled=true \
-config replacer.full_list\\(1\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(1\\).matchstr=x-api-key \
-config replacer.full_list\\(1\\).regex=false \
-config replacer.full_list\\(1\\).replacement=<value>
Thanks in advance,
Abhijith
Simon Bennetts
Jan 11, 2023, 8:53:34 AM1/11/23
to OWASP ZAP User Group
Hi Abhijith,
Have a look at https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Your config file should not contain the "-config " parts or the backslashes.
I'd recommend testing your config file using the ZAP desktop first before trying it out in a packaged scan.
Cheers,
Simon
Abhijith Ganekal
Jan 11, 2023, 3:24:06 PM1/11/23
to OWASP ZAP User Group
Thank you for the quick answer.
I still face the same issue even after removing the config and slash
replacer.full_list(0).description=Authorization
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=<Token>
replacer.full_list(1).description=x-api-key
replacer.full_list(1).enabled=true
replacer.full_list(1).matchtype=REQ_HEADER
replacer.full_list(1).matchstr=x-api-key
replacer.full_list(1).regex=false
replacer.full_list(1).replacement=<Value>
Simon Bennetts
Jan 12, 2023, 5:21:30 AM1/12/23
to OWASP ZAP User Group
Can you try this out in the ZAP desktop, to see if the config file is having the right effect?
Reply all
Reply to author
Forward
0 new messages