Zap is not picking up my Authorization headers from options.prop file when running zap-baseline.py
223 views
Skip to first unread message
Basanth ...
May 2, 2024, 3:09:25 AM5/2/24
to ZAP User Group
I am trying to do Baseline scan by passing the URL and for authorization I am passing my headers and parameters in options.prop file
I am using this command to scan my APIs:
docker run -v $(pwd):/zap/wrk/:rw
-t softwaresecurityproject/zap-stable zap-baseline.py -t https://em-api.xxx.org/light -z "-configfile /zap/wrk/options.prop" -r api-passive-scan-report.html
-t softwaresecurityproject/zap-stable zap-baseline.py -t https://em-api.xxx.org/light -z "-configfile /zap/wrk/options.prop" -r api-passive-scan-report.html
This is the options.prop file I am using:
As output I am getting many 403 & 404,
```
Using the Automation Framework
Total of 10 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Anti-clickjacking Header [10020]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: HTTP Server Response Header [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Source Code Disclosure [10099]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Dangerous JS Functions [10110]
PASS: Authentication Request Identified [10111]
PASS: Session Management Response Identified [10112]
PASS: Verification Request Identified [10113]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Sub Resource Integrity Attribute Missing [90003]
PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
WARN-NEW: Non-Storable Content [10049] x 9
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
https://em-api.xxx.org/ (404 Not Found)
WARN-NEW: Permissions Policy Header Not Set [10063] x 4
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 3 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 61
Automation plan warnings:
Job spider error accessing URL https://em-api.xxx.org/em/api/v1//light status code returned : 403 expected 200
Job spider error accessing URL https://em-api.xxx.org/ status code returned : 404 expected 200
Total of 10 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Anti-clickjacking Header [10020]
PASS: X-Content-Type-Options Header Missing [10021]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: HTTP Server Response Header [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Source Code Disclosure [10099]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Dangerous JS Functions [10110]
PASS: Authentication Request Identified [10111]
PASS: Session Management Response Identified [10112]
PASS: Verification Request Identified [10113]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Sub Resource Integrity Attribute Missing [90003]
PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
WARN-NEW: Non-Storable Content [10049] x 9
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
https://em-api.xxx.org/ (404 Not Found)
WARN-NEW: Permissions Policy Header Not Set [10063] x 4
https://em-api.xxx.org/em/api/v1 (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui (403 Forbidden)
https://em-api.xxx.org/em/api/v1/ui/rsgroups (403 Forbidden)
https://em-api.xxx.org/em/api/v1//light (403 Forbidden)
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 3 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 61
Automation plan warnings:
Job spider error accessing URL https://em-api.xxx.org/em/api/v1//light status code returned : 403 expected 200
Job spider error accessing URL https://em-api.xxx.org/ status code returned : 404 expected 200
```
It looks like the options.prop file is not picked and no effect if we pass valid or invalid token.
kingthorin+zap
May 2, 2024, 5:56:00 AM5/2/24
to ZAP User Group
Why is half the rule index zero and half index one, I don't see how that would work properly....
Message has been deleted
Basanth ...
May 3, 2024, 8:15:14 AM5/3/24
to ZAP User Group
Thanks for pointing to that. I corrected the same and tried again.
This is the config file I am using now options.prop
Still I am getting the same output where the URL returned 403 as response. Not sure what is wrong with the command I am using.
docker run -v $(pwd):/zap/wrk/:rw
-t softwaresecurityproject/zap-stable zap-baseline.py -t https://xxx.org/em/api/v1/ui/rsgroups/light -z "-configfile /zap/wrk/options.prop" -r api-passive-scan-report.html
Basanth ...
May 3, 2024, 12:16:53 PM5/3/24
to ZAP User Group
Would be nice if we could verify the headers actually used by Zap while sending the request.
I could see LogMessages.js but how can I enable it for the docker run so that I could see request and responses?
thc...@gmail.com
May 6, 2024, 2:36:42 AM5/6/24
to zaprox...@googlegroups.com
I'd suggest using the Automation Framework, you can easily run the plans
in the GUI and verify that everything is working (you can check the
messages sent in the Request/Response tabs). It's possible to add
Replacer rules through the plan:
https://www.zaproxy.org/docs/desktop/addons/replacer/automation/
You can also easily add scripts using the Script job:
https://www.zaproxy.org/docs/desktop/addons/script-console/automation/
(If you need to further check how it's running e.g. in CI/CD.)
If you still want to use the baseline scan you'll have to use Scan Hooks
to set up the script:
https://www.zaproxy.org/docs/docker/scan-hooks/
or set it through the command line:
https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/
Best regards.
On 03/05/2024 17:16, Basanth ... wrote:
> Would be nice if we could verify the headers actually used by Zap while
> sending the request.
>
> I could see LogMessages.js but how can I enable it for the docker run so
> that I could see request and responses?
>
> On Friday, May 3, 2024 at 5:45:14 PM UTC+5:30 Basanth ... wrote:
>
>> Thanks for pointing to that. I corrected the same and tried again.
>>
>> This is the config file I am using now *options.prop*
>>
>> *[image: 2.JPG]*
>> *-t softwaresecurityproject/zap-stable zap-baseline.py
>> -t https://xxx.org/em/api/v1/ui/rsgroups/light
>> <https://em-api.pentest.eu-region.srsng.org/em/api/v1/ui/rsgroups/light> -z
>> "-configfile /zap/wrk/options.prop" -r api-passive-scan-report.html*
in the GUI and verify that everything is working (you can check the
messages sent in the Request/Response tabs). It's possible to add
Replacer rules through the plan:
https://www.zaproxy.org/docs/desktop/addons/replacer/automation/
You can also easily add scripts using the Script job:
https://www.zaproxy.org/docs/desktop/addons/script-console/automation/
(If you need to further check how it's running e.g. in CI/CD.)
If you still want to use the baseline scan you'll have to use Scan Hooks
to set up the script:
https://www.zaproxy.org/docs/docker/scan-hooks/
or set it through the command line:
https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/
Best regards.
On 03/05/2024 17:16, Basanth ... wrote:
> Would be nice if we could verify the headers actually used by Zap while
> sending the request.
>
> I could see LogMessages.js but how can I enable it for the docker run so
> that I could see request and responses?
>
> On Friday, May 3, 2024 at 5:45:14 PM UTC+5:30 Basanth ... wrote:
>
>> Thanks for pointing to that. I corrected the same and tried again.
>>
>>
>> *[image: 2.JPG]*
>> Still I am getting the same output where the URL returned 403 as response.
>> Not sure what is wrong with the command I am using.
>>
>>
>> *docker run -v $(pwd):/zap/wrk/:rw*
>> Not sure what is wrong with the command I am using.
>>
>>
>> *-t softwaresecurityproject/zap-stable zap-baseline.py
>> -t https://xxx.org/em/api/v1/ui/rsgroups/light
>> <https://em-api.pentest.eu-region.srsng.org/em/api/v1/ui/rsgroups/light> -z
>> "-configfile /zap/wrk/options.prop" -r api-passive-scan-report.html*
Basanth ...
May 6, 2024, 7:31:52 AM5/6/24
to ZAP User Group
Ok I will look in Automation Framework.
Meanwhile using options.prop file for secure APIs worked this is the prop file content,
replacer.full_list(0).description=AuthHeader
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer <TOKEN>
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer <TOKEN>
Thanks all for the support
Reply all
Reply to author
Forward
0 new messages