HTTP Authentication Session Management with or without Bearer Prefix

226 views

Skip to first unread message

Zeeshan Ali

unread,

Jun 1, 2023, 2:11:46 PM6/1/23

to OWASP ZAP User Group

I am trying to generate a context file using ZAP UI and have setup the Authentication with JSON based authentication and Session Management is set to 2 (HTTP Authentication Session Management).

As per the documentation, this session management should be used when the session is managed with HTTP request header Authorization.

In my case my application also expects Bearer word in front of the token value , so the token and header would look like

Authorization: Bearer <tokenvalue>

does the ZAP OWASP docker image add this Bearer word on the token ,if not what would be the best way to achieve this..

here is the command which i am using to run the scan

docker run -p 5000:5000 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-full-scan.py -t https://abc.com:5000 -P 5000 -c zap-casa-config.conf -x results-full.xml -n def_context.context -U zeeshu26

anyhelp is highlighy appreciated

psiinon

unread,

Jun 6, 2023, 5:21:12 AM6/6/23

to zaprox...@googlegroups.com

Have you been able to test it in the ZAP desktop?

I dont think it will work, but I could be wrong.

Instead I would recommend using Header Based Session Management: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-header/

This is provided by the Authentication Helper add-on.

I'd also recommend looking at Authentication Auto-detection and the Automation Framework, which is more flexible that the packaged scans:

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f207ce52-7792-434a-8f22-85396080b9a8n%40googlegroups.com.