Hello everyone,
Am a newbie on zap , i have tried to configure automated scan on Zap Desktop UI as well as Using docker , but in both cases i couldn't get the proper response . Could you guys clarifying the doubts?
In Docker,I have tried the command for running api scan with authentication file(options.prop) but that prop file is not picking up while scanning, I found this issue while testing the api's in my local server becuase the default authetication is applied (
zap...@example.com)
command (Windows)
docker run --name security-test-NB -v %cd%:/zap/wrk:rw -t zaproxy/zap-stable zap-api-scan.py -t openapi.json -f openapi -z "-configfile /zap/wrk/options.prop" -r api-active-scan-loginapi.html
options.prop file
-config formhandler.fields.field\\(0\\).fieldId=email \
-config formhandler.fields.field\\(0\\).value=
jxxxxx...@example.com \
-config formhandler.fields.field\\(0\\).enabled=true \
-config formhandler.fields.field\\(1\\).fieldId=password \
-config formhandler.fields.field\\(1\\).value=1234 \
-config formhandler.fields.field\\(1\\).enabled=true
IN ZAP GUIF
or API scan1.create the context file set the authentication(json based) and users
2. imported the OPENAPI definition but while attack the API"s the API doesnt take the users mentioned in the context using default(
zap...@example.com)
For Web application testing1.Using authentication helper in tools for testing the URLs, after that will be shown in sites tree then hit the attack on the URL.
2. And tried another one thing, in the dialog box there is one big automated scan on that am mentioning the URL and attack but that doesn't work based on authentication.
Is this a right way to do ?
Could you guys give a proper explanation, and please instruct me if i did mistakes in any of the flow. Thanks in advance.