CORS Header for API
195 views
Skip to first unread message
Yannik Inniger
Mar 22, 2018, 8:56:08 AM3/22/18
to OWASP ZAP User Group
Hi,
I'm trying to access zap with the API in a single page app. My problem is that the Access-Control-Allow-Origin Header is missing in the responses.
I tried to add it by using the replacer but I couldn't make it work. Where can I set the header?
Simon Bennetts
Mar 22, 2018, 9:00:26 AM3/22/18
to OWASP ZAP User Group
Hiys,
See this blog post: https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html
Cheers,
Simon
See this blog post: https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html
Cheers,
Simon
Yannik Inniger
Mar 22, 2018, 9:20:36 AM3/22/18
to OWASP ZAP User Group
Thanks Simon for the quick response, but it's not exactly what I was looking for. I don't want to scan an API, I'm using the local ZAP API to trigger actions.
So I would need to add the Access-Control-Allow-Origin Header to the responses from the ZAP client API.
e.g. I send a request to
http://localhost:8080/JSON/ascan/action/scan/...
Regards,
Yannik
Simon Bennetts
Mar 22, 2018, 9:31:56 AM3/22/18
to OWASP ZAP User Group
Ah, my bad.
In that case no, we dont currently support that, but I can see why it would be useful.
I've just raised an issue for this: https://github.com/zaproxy/zaproxy/issues/4529
Feel free to comment either here or on that issue.
Out of interest, can you share a bit more about what you're doing? It sounds very interesting :)
Cheers,
Simon
In that case no, we dont currently support that, but I can see why it would be useful.
I've just raised an issue for this: https://github.com/zaproxy/zaproxy/issues/4529
Feel free to comment either here or on that issue.
Out of interest, can you share a bit more about what you're doing? It sounds very interesting :)
Cheers,
Simon
Yannik Inniger
Mar 22, 2018, 9:52:42 AM3/22/18
to OWASP ZAP User Group
Thanks, then I will set up my own proxy which adds the header.
Sure, I'm building something like a security self service for the developers in my company. The idea is that they can run quick scans on tools/services that they are developing, without setting up a jenkins server or learning zap.
So it should be very easy for them, to get a basic assesment of their application security.
Simon Bennetts
Mar 22, 2018, 9:58:27 AM3/22/18
to OWASP ZAP User Group
That sounds good, and exactly the sort of use case we want to support :)
Let us know if you hit any other problems, and it would be good to hear how you get on in any case - I'm sure other ZAP users will be very interested in this as well.
Its worth noting that ZAP isnt really designed to be a long running service, so you should probably think about scheduled restarts, or launching new ZAP instances.
We have plans to fix that, but no ETA yet I'm afraid.
Cheers,
Simon
Let us know if you hit any other problems, and it would be good to hear how you get on in any case - I'm sure other ZAP users will be very interested in this as well.
Its worth noting that ZAP isnt really designed to be a long running service, so you should probably think about scheduled restarts, or launching new ZAP instances.
We have plans to fix that, but no ETA yet I'm afraid.
Cheers,
Simon
Yannik Inniger
Mar 22, 2018, 10:36:12 AM3/22/18
to OWASP ZAP User Group
Sure, I will keep you posted here on the progress.
Thank you for the hint I will keep that in mind :)
Reply all
Reply to author
Forward
0 new messages