API Scanning support through OpenAPI

[Rakshith Jr]

Hello All,

While importing openapi definition file, ZAP handles it through form handler which caused some issues for me like Authorization header it is taking "John Doe", even though it receives authorization token from login endpoint.

I am testing "https://demo.testfire.net/swagger/properties.json" API hence getting below responses,

I 

Kindly help me on this,

Thanks and Regards,

Rakshith JR

[ricekot]

Hello,

You must configure JSON based authentication and enable forced-user mode for ZAP to be able to make authenticated requests.

Alternatively, you could also use a replacer rule or an httpsender script to inject an authorization header into requests made by ZAP.

See https://www.zaproxy.org/docs/authentication/ and https://www.zaproxy.org/docs/desktop/start/features/authentication/ for more information.

Best regards,

Akshath

[Rakshith Jr]

Hello Akshath,

I tried using JSON Based authentication, but it didn't work. Can you connect with me as this is kind of urgent to me in my work, You can mail me at "raksh...@gmail.com"

Thankyou,

Rakshith J R

[ricekot]

I would prefer keeping the discussion restricted to the user group since other people who run into similar issues may find the discussion helpful or chip in with their solutions.

[Simon Bennetts]

We have some docs here: https://www.zaproxy.org/docs/authentication/

Let us know the details of the problems you are having and we'll do our best to help.

FYI there is work ongoing aimed at making ZAP authentication handling much easier to configure: https://www.zaproxy.org/blog/2023-01-19-authentication-help/

Cheers,

Simon