ZAP API authenticated baseline scan - bearer token ignored
227 views
Skip to first unread message
Volodymyr Molodets
Oct 26, 2023, 3:19:11 PM10/26/23
to ZAP User Group
Hello,
I am trying to run a ZAP - API passive scan using the latest docker image softwaresecurityproject/zap-stable:latest and passing an environmental variable ZAP_AUTH_HEADER_VALUE with a bearer token but it looks like it is simply ignored.
The full command executed on Windows 10 is below:
docker run -e ZAP_AUTH_HEADER_VALUE="Bearer $(token)" -v C:\Users\user1\Desktop\zap:/zap/wrk/:rw -it softwaresecurityproject/zap-stable:latest zap-api-scan.py -t https://api.dev.example.com/swagger/v1/swagger.json -f openapi -S -d
It does run, but if I check Application Insights in Azure - I see no authenticated requests with request response code 200.
If I run the same command ommiting the parameter 'S', it runs significantly longer and I see lots of 200 entries in application insights.
Does it mean that the safe (baseline) scan does not count for bearer token and simply runs non-authenticated scan?
I've tried to find that in documentation, but had no luck.
Thank you.
Simon Bennetts
Oct 27, 2023, 4:53:29 AM10/27/23
to ZAP User Group
ZAP always does what you tell it to, you just have to tell it in the right way :)
The baseline scan will use the ZAP_AUTH_HEADER_VALUE env var.
The very first thing I'd do is to make sure that yout token is getting through to the command line.
Create an env var (e.g. called 'envtest') in the same way that you've created the 'token' above.
Then run like:
docker run -e ZAP_ENV_TEST="Test $(envtest)" -it
softwaresecurityproject/zap-stable:latest env
Do you see the right value in ZAP_ENV_TEST?
If not then the problem is with the way you have set up your token.
If it looks ok then its something else.
Note that authentication is hard :/
We have quite a bit of documentation on https://www.zaproxy.org/docs/authentication/
You have chosen to handle authentication yourself, so you have to get it exactly right.
For info on debugging complex issues see https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues
Cheers,
Simon
Volodymyr Molodets
Oct 27, 2023, 8:25:56 AM10/27/23
to ZAP User Group
I've just tried one more time to regenerate the bearer token and run the API baseline and active scans - and they were successful.
Not quite sure why it failed on previous attempts.
Thank you.
Reply all
Reply to author
Forward
0 new messages