API testing using Postman collection and bearer token
52 views
Skip to first unread message
Juan Alarcon Muñoz
May 22, 2025, 5:54:11 AMMay 22
to ZAP User Group
Hello everyone, I'm trying to test an OpenAPI REST API from a bank app using OWASP ZAP. My goal is to mix manual testing and automate framework if possible.
I have 2 ways to export the API definition, using the openapi.yaml with swagger or using Postman collection directly. The problem comes with seting up the envinroment/context to be able to connect to the API, because i have to include the Authentication bearer token.
I have 2 ways to export the API definition, using the openapi.yaml with swagger or using Postman collection directly. The problem comes with seting up the envinroment/context to be able to connect to the API, because i have to include the Authentication bearer token.
I tried several ways and always getting 400 as i can't or have not permission.
I tried using replacer to add the header (Following this steps):
Antoher way i tested is creating an HTTP Sender Script in ZAP to inject the Authorization header dynamically and enable it forcing a new created user. This is the script:
I tried using replacer to add the header (Following this steps):
Go to Tools > Options > Replacer.
Click Add to create a new replacement rule.
Configure the rule as follows:
- Description: Inject Bearer Token
- Enabled: ✅
- Match Type: Request Header
- Match String: Authorization
- Replacement String: Bearer YOUR_ACTUAL_TOKEN_HERE
- Match Regex: ❌ (unchecked)
- Initiators: Leave as default or select specific ones if needed.
Antoher way i tested is creating an HTTP Sender Script in ZAP to inject the Authorization header dynamically and enable it forcing a new created user. This is the script:
// Replace with your actual token
var token = "Bearer YOUR_ACTUAL_TOKEN_HERE";
function sendingRequest(msg, initiator, helper) {
msg.getRequestHeader().setHeader("Authorization", token);
}
function responseReceived(msg, initiator, helper) {
// No changes needed here
}
I have read in some posts to use env variables ZAP_AUTH_HEADER and ZAP_AUTH_HEADER_VALUE but the problem is the token expires in 10minutes and have to refresh manually every run.
Any tips, suggestions? I'm stuck here. I was able to test another api collections without the bearer token but not this one :(
Any tips, suggestions? I'm stuck here. I was able to test another api collections without the bearer token but not this one :(
Juan Alarcon Muñoz
May 22, 2025, 6:40:21 AMMay 22
to ZAP User Group
Just a few details more. API needs to be run using a concrete proxy server (it is connecting to the bank and in postman to be able to use it i had to configure a custom proxy with authentication pointing there). Example 'proxynexecution.XXXXX.es:8080' so i have to use the same proxy in the zap right? Options>Network>HTTP Proxy
Could this be a problem with zap?
And also be connected to the VPN to be able to connect using the proxy.
Could this be a problem with zap?
kingthorin+zap
May 22, 2025, 7:59:44 AMMay 22
to ZAP User Group
0) ZAP left OWASP almost two years ago 🙂
1) Are you able to access the target from a browser while proxying through ZAP? (If not then auth for the API is not your first problem 😉) [Yes "
Options>Network>HTTP Proxy" is the correct spot to set an outbound proxy.]
2) For all things authentication related I'd suggest starting here: https://www.zaproxy.org/docs/authentication/
Reply all
Reply to author
Forward
0 new messages