Using OAuth2.0 with zap-api-scan.py
198 views
Skip to first unread message
David Rosales
Oct 19, 2020, 2:22:39 PM10/19/20
to OWASP ZAP User Group
Hi, I am trying to scan endpoints with zap-api-scan.py. I'm able to scan endpoints not requiring authentication fine but I'm having trouble with authenticating. How do I go about authentication with bearer tokens with this script?
Simon Bennetts
Oct 20, 2020, 4:19:10 AM10/20/20
to OWASP ZAP User Group
What do you need to do with the tokens?
Send them as headers with each request or ??
David Rosales
Oct 20, 2020, 8:50:52 AM10/20/20
to OWASP ZAP User Group
Yes, I'm needing to send them as request headers. The header would be Authorization: Bearer <token>.
Eric W
Oct 20, 2020, 10:58:02 AM10/20/20
to OWASP ZAP User Group
Hi David,
If I may humbly suggest the following links, I believe they might be able to guide you in the right direction.
Best
Regards,
Eric W.
https://augment1security.com
Twitter: @aug1sec
Eric W.
https://augment1security.com
Twitter: @aug1sec
David Rosales
Oct 20, 2020, 12:01:43 PM10/20/20
to OWASP ZAP User Group
Thanks Eric,
I was able to authenticate using
[Fatal Error] config.xml:1:1: Premature end of file.
Failed to load/upgrade config file:
org.apache.commons.configuration.ConfigurationException: Error parsing file:/home/zap/.ZAP/config.xml
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:1014)
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:972)
at org.zaproxy.zap.utils.ZapXmlConfiguration.load(ZapXmlConfiguration.java:181)
at org.apache.commons.configuration.XMLConfiguration$XMLFileConfigurationDelegate.load(XMLConfiguration.java:1647)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:324)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:261)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:238)
at org.apache.commons.configuration.AbstractHierarchicalFileConfiguration.load(AbstractHierarchicalFileConfiguration.java:184)
at org.zaproxy.zap.utils.ZapXmlConfiguration.<init>(ZapXmlConfiguration.java:83)
at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Constant.java:602)
at org.parosproxy.paros.Constant.<init>(Constant.java:385)
at org.parosproxy.paros.Constant.createInstance(Constant.java:1189)
at org.parosproxy.paros.Constant.getInstance(Constant.java:1181)
at org.zaproxy.zap.ZapBootstrap.start(ZapBootstrap.java:76)
at org.zaproxy.zap.DaemonBootstrap.start(DaemonBootstrap.java:47)
at org.zaproxy.zap.ZAP.main(ZAP.java:123)
Caused by: org.xml.sax.SAXParseException; systemId: file:/home/zap/.ZAP/config.xml; lineNumber: 1; columnNumber: 1; Premature end of file.
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:1006)
... 15 more
zap-api-scan.py -t yaml -f openapi -z "-config replacer.full_list\\(0\\).description=auth2 \ -config replacer.full_list\\(0\\).enabled=true \ -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \ -config replacer.full_list\\(0\\).matchstr=Authorization \ -config replacer.full_list\\(0\\).regex=false \ -config replacer.full_list\\(0\\).replacement='Bearer token'"
I was able to add this to a config file and run using the -configfile option as well. However, I get an inconsistent error sometimes
[Fatal Error] config.xml:1:1: Premature end of file.[Fatal Error] config.xml:1:1: Premature end of file.
Failed to load/upgrade config file:
org.apache.commons.configuration.ConfigurationException: Error parsing file:/home/zap/.ZAP/config.xml
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:1014)
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:972)
at org.zaproxy.zap.utils.ZapXmlConfiguration.load(ZapXmlConfiguration.java:181)
at org.apache.commons.configuration.XMLConfiguration$XMLFileConfigurationDelegate.load(XMLConfiguration.java:1647)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:324)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:261)
at org.apache.commons.configuration.AbstractFileConfiguration.load(AbstractFileConfiguration.java:238)
at org.apache.commons.configuration.AbstractHierarchicalFileConfiguration.load(AbstractHierarchicalFileConfiguration.java:184)
at org.zaproxy.zap.utils.ZapXmlConfiguration.<init>(ZapXmlConfiguration.java:83)
at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Constant.java:602)
at org.parosproxy.paros.Constant.<init>(Constant.java:385)
at org.parosproxy.paros.Constant.createInstance(Constant.java:1189)
at org.parosproxy.paros.Constant.getInstance(Constant.java:1181)
at org.zaproxy.zap.ZapBootstrap.start(ZapBootstrap.java:76)
at org.zaproxy.zap.DaemonBootstrap.start(DaemonBootstrap.java:47)
at org.zaproxy.zap.ZAP.main(ZAP.java:123)
Caused by: org.xml.sax.SAXParseException; systemId: file:/home/zap/.ZAP/config.xml; lineNumber: 1; columnNumber: 1; Premature end of file.
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
at org.apache.commons.configuration.XMLConfiguration.load(XMLConfiguration.java:1006)
... 15 more
Might there be an issue with how I'm passing my parameters? Thanks in advance.
Eric W
Oct 20, 2020, 12:32:30 PM10/20/20
to OWASP ZAP User Group
Hi David,
From the stacktrace, it would seem that the config file is somehow corrupted. Are you using docker? Have you gotten this to work on the desktop?
Another comment is that I would go with the config file as its more readable rather than having everything on the command line.
You might also want to check out this script that was written by another user using the same approach as you. It might give you some ideas too.
Simon Bennetts
Oct 20, 2020, 12:54:32 PM10/20/20
to OWASP ZAP User Group
The replacer is the currently recommended way to go.
However it can be a bit tricky to get the syntax right, so I'm wondering if we could provide a more user friendly solution.
My initial thought is an http_sender script which tries to read an environmental variable (ZAP_AUTH_HEADER?) - if its present then it would inject this as a header in all requests.
So all you would need to do is set the right env var and then it should 'just work'.
I'll have a play with that, but if anyone has any other ideas then please share them here :)
Cheers,
Simon
Reply all
Reply to author
Forward
Message has been deleted
0 new messages