Unable to run an authenticated scan for API's and Web
38 views
Skip to first unread message
Jeyalakshmi Selvam
Jun 27, 2024, 8:56:26 AMJun 27
to ZAP User Group
Hello everyone,
Am a newbie on zap , i have tried to configure automated scan on Zap Desktop UI as well as Using docker , but in both cases i couldn't get the proper response . Could you guys clarifying the doubts?
In Docker,
I have tried the command for running api scan with authentication file(options.prop) but that prop file is not picking up while scanning, I found this issue while testing the api's in my local server becuase the default authetication is applied (zap...@example.com)
command (Windows)
docker run --name security-test-NB -v %cd%:/zap/wrk:rw -t zaproxy/zap-stable zap-api-scan.py -t openapi.json -f openapi -z "-configfile /zap/wrk/options.prop" -r api-active-scan-loginapi.html
options.prop file
-config formhandler.fields.field\\(0\\).fieldId=email \
-config formhandler.fields.field\\(0\\).value=jxxxxx...@example.com \
-config formhandler.fields.field\\(0\\).enabled=true \
-config formhandler.fields.field\\(1\\).fieldId=password \
-config formhandler.fields.field\\(1\\).value=1234 \
-config formhandler.fields.field\\(1\\).enabled=true
IN ZAP GUI
For API scan
1.create the context file set the authentication(json based) and users
2. imported the OPENAPI definition but while attack the API"s the API doesnt take the users mentioned in the context using default(zap...@example.com)
For Web application testing
1.Using authentication helper in tools for testing the URLs, after that will be shown in sites tree then hit the attack on the URL.
2. And tried another one thing, in the dialog box there is one big automated scan on that am mentioning the URL and attack but that doesn't work based on authentication.
Am a newbie on zap , i have tried to configure automated scan on Zap Desktop UI as well as Using docker , but in both cases i couldn't get the proper response . Could you guys clarifying the doubts?
In Docker,
I have tried the command for running api scan with authentication file(options.prop) but that prop file is not picking up while scanning, I found this issue while testing the api's in my local server becuase the default authetication is applied (zap...@example.com)
command (Windows)
docker run --name security-test-NB -v %cd%:/zap/wrk:rw -t zaproxy/zap-stable zap-api-scan.py -t openapi.json -f openapi -z "-configfile /zap/wrk/options.prop" -r api-active-scan-loginapi.html
options.prop file
-config formhandler.fields.field\\(0\\).fieldId=email \
-config formhandler.fields.field\\(0\\).value=jxxxxx...@example.com \
-config formhandler.fields.field\\(0\\).enabled=true \
-config formhandler.fields.field\\(1\\).fieldId=password \
-config formhandler.fields.field\\(1\\).value=1234 \
-config formhandler.fields.field\\(1\\).enabled=true
IN ZAP GUI
For API scan
1.create the context file set the authentication(json based) and users
2. imported the OPENAPI definition but while attack the API"s the API doesnt take the users mentioned in the context using default(zap...@example.com)
For Web application testing
1.Using authentication helper in tools for testing the URLs, after that will be shown in sites tree then hit the attack on the URL.
2. And tried another one thing, in the dialog box there is one big automated scan on that am mentioning the URL and attack but that doesn't work based on authentication.
Is this a right way to do ?
Could you guys give a proper explanation, and please instruct me if i did mistakes in any of the flow. Thanks in advance.
Could you guys give a proper explanation, and please instruct me if i did mistakes in any of the flow. Thanks in advance.
Simon Bennetts
Jul 1, 2024, 10:27:26 AMJul 1
to ZAP User Group
Reply all
Reply to author
Forward
0 new messages