API Scanning using ZAP Automation Framework
488 views
Skip to first unread message
Anubhav Sharma
Jul 19, 2022, 5:19:43 AM7/19/22
to zaprox...@googlegroups.com
Hi All,
I am currently working on to enable a API Security Scanning using ZAP Automation Framework.
I am trying to finding the solution of below problems:
1) How to run a full API scan where the API has a custom authorisation token in the headers ?
2) If I want to add extra test cases for my API , then where should I mention those test cases in my plan file?
3) In case of authorisation, how I can tell the zap Automation Framework that, for which API add the auth header and for which API don't add the header in the request?
Kindly provide the suggestion as I am struggling from a long time because of these blockers.
Regards,
Anubhav Sharma
janik D
Jul 19, 2022, 8:18:13 AM7/19/22
to OWASP ZAP User Group
Hey Anubhav Sharma,
For question 1, the Api has good documentation on Authentication and you can create a script to make custom Authorisation headers. https://www.zaproxy.org/docs/api/#getting-authenticated
The easiest way I would say is to create a zest script in the zap Gui and then use this script in the Api scan.
The other parts I don't know enough about to answer.
Regards,
Janik
thc...@gmail.com
Jul 19, 2022, 8:44:57 AM7/19/22
to zaprox...@googlegroups.com
See also:
https://www.zaproxy.org/docs/authentication/
which might be as simple as passing env vars, if you already have the
authorisation token.
2) Define test cases, do you mean other endpoints? You can use more jobs
to request/import those endpoints.
3) Custom context(s) which include/exclude some URLs:
https://www.zaproxy.org/docs/desktop/addons/automation-framework/environment/
Best regards.
https://www.zaproxy.org/docs/authentication/
which might be as simple as passing env vars, if you already have the
authorisation token.
2) Define test cases, do you mean other endpoints? You can use more jobs
to request/import those endpoints.
3) Custom context(s) which include/exclude some URLs:
https://www.zaproxy.org/docs/desktop/addons/automation-framework/environment/
Best regards.
sonawan...@gmail.com
Jul 20, 2022, 3:22:10 AM7/20/22
to OWASP ZAP User Group
Hello
I am also having same query and somehow i am not able to understand its resolution via documentation :( (my bad)
i will try to explain my query which is same like
Anubhav Sharma,
1) I am having one API -- https://xyz.com/abcd_expectations/ and it expects MyapiKey = 1234567890 as API Key authentication (as per postman software i am setting this as API Key Authentication and its working)
2) so i tried to use setAuthenticationMethod API and supplied arguments like below
- contextId=1&authMethodName=manualAuthentication&authMethodConfigParams=loginUrl%3Dhttps%3A%2F%2Fxyz.com%2Fabcd_expectations%2F%26loginRequestData%3DMyapiKey%3D%7B%251234567890%25%7D
3) but when i tried to cross check above using
I am getting blank response - {"methodConfigParams":[]}
4) also these settings are not working ahead and when i tried to attack - tool says - Failed to attack url : received 401 response code
So can you please help me understanding where i went wrong
sonawan...@gmail.com
Jul 20, 2022, 10:20:03 AM7/20/22
to OWASP ZAP User Group
Hello
I guess i was trying in wrong direction
I found the solution (posting - just in case if someone needs it)
Instead of any other method - simply try community HTTP Sender Script - add-extra-headers.js
or in my case i used customized version of it as per my requirement -
- set apikey as global variable - setGlobal variable
- then using http sender script - use getGlobal Variable
- Add this getGlobal Variable to header using - msg.getRequestHeader().setHeader('apikey', apikey);
This worked for me :)
Simon Bennetts
Jul 20, 2022, 10:21:26 AM7/20/22
to OWASP ZAP User Group
Thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages