ZAP Docker scan with Authorization header
309 views
Skip to first unread message
roman romanenco
Jun 16, 2022, 8:09:18 PM6/16/22
to OWASP ZAP User Group
Hi, I am trying to scan + spider an application that takes an authorization header as the authentication mechanism for it's api calls. How/where do I define a config file to put in the following data:
replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Once I define a config file with the above data, id like to scan the URL using my docker image with syntax like so, docker run -t owasp/zap2docker-stable zap-full-scan.py + whatever options go afterwards.
Could you help me understand where do I define that data into a config file and then how do I build a syntax to include it and scan my target?
thc...@gmail.com
Jun 17, 2022, 3:22:08 AM6/17/22
to zaprox...@googlegroups.com
Hi.
You would use -z to pass the -configfile arg.
https://www.zaproxy.org/docs/docker/full-scan/#usage
https://www.zaproxy.org/docs/desktop/cmdline/#options
(You also need to mount the directory that contains the config file.)
Might be easier/faster with env vars though:
https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars
Best regards.
You would use -z to pass the -configfile arg.
https://www.zaproxy.org/docs/docker/full-scan/#usage
https://www.zaproxy.org/docs/desktop/cmdline/#options
(You also need to mount the directory that contains the config file.)
Might be easier/faster with env vars though:
https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars
Best regards.
Reply all
Reply to author
Forward
0 new messages