Zap is not picking up my Authorization headers from options.prop file when running zap-apiscan.py

[Sanjana]

I am trying to do an api scan by passing the auth token using replacer rules in options.prop file.
I am scanning the github api with personal access token .

https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repository-languages

The above is the reference link we used to test the github api.

When using zaps docker image to perform the scan ,the report generated consists of 403 errors as shown below

WARN-NEW: Cross-Domain Misconfiguration [10098] x 1
https://api.github.com/repos/Sanjana573/adadada/languages (404 Not Found)
WARN-NEW: CORS Misconfiguration [40040] x 4
https://api.github.com/repos (403 rate limit exceeded)
https://api.github.com/repos/Sanjana573 (403 rate limit exceeded)
https://api.github.com/repos/Sanjana573/adadada/languages (403 rate limit exceeded)
https://api.github.com/repos/Sanjana573/adadada (403 rate limit exceeded)
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 3 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 134

We tested out the endpoint on postman and it was working as expected  but when we pass auth token using the options.prop file it is giving 403 errors for some urls in the report that was generated.
Can anyone please help us out.

[kingthorin+zap]

0) Do you have permission to test against GitHub?

1) "rate limit exceeded" > Seems like you should set some throttling.

[Anagha Ms]

We have permission to test against GitHub. We tested the GitHub endpoint and the auth token on postman and it worked perfectly fine.
Secondly , if we have to set the throttle , since we are scanning the API through zap's docker image , do we have to write a script to do the same and send it as a parameter?

[Krishi Bagri]

I am also trying to do this API scan with an API endpoint by using the CLI and generate a report. The command that was used is:

docker run -v {pwd}:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t openapi.json -f openapi -z "-config /zap/wrk/options.prop" -r report_html.html

Above, in the openapi.json file, I passed my openapi definition and the options.prop file contains:

-config replacer.full_list(0).description=AuthHeader
-config replacer.full_list(0).enabled=true
-config replacer.full_list(0).matchtype=REQ_HEADER
-config replacer.full_list(0).matchstr=Authorization
-config replacer.full_list(0).regex=false
-config replacer.full_list(0).replacement=Bearer MyToken

Here, {pwd} was replaced with my directory and MyToken with the token received by a post request in Postman.

I have kept my openapi definition and the options.prop file in one directory (i.e., what I have passed as {pwd}), and as per what I understood, it gets mounted in the Docker image.

It generates the report as an output, but as I can see in the report, it does scan for those requests that do not require authentication, and for other endpoints that require authentication and where the scan should take place based on authentication, it is returning status codes of 404 and 403. I have attached the report for reference below

Can someone help me figure out what is going wrong and how I can correct it to perform an authenticated API scan?

[Krishi Bagri]

I also have a follow-up doubt. I was also trying to do this same scanning with the VAmpi API, which is a publicly available API for vulnerability testing. I used the same CLI command and configuration as I have specified above. I cloned the VAmpi API; it is running fine through Postman, and I am also able to retrieve tokens and perform other authenticated operations. I ran it on my local machine at "http://127.0.0.1:5000" but on running the above specified  CLI command I get an error message saying that Connection is not established.

I have provided all the references and screenshots that I have used. You can find complete detail in ReadMe file and also the definition and swagger file in the githhub link below. Can you help me with this as well?

Reference:
https://erev0s.com/blog/vampi-vulnerable-api-security-testing/

https://github.com/erev0s/VAmPI
https://blog.held.codes/vampi-vulnerable-api-write-up-and-walk-through-3cce519e5e96

https://zerodayhacker.com/vampi-walkthrough/

On Tuesday 7 May 2024 at 19:00:41 UTC+5:30 kingthorin+zap wrote:

[kingthorin+zap]

Oh sorry I didn't notice this earlier but your CLI syntax is wrong:

-z "-config /zap/wrk/options.prop"

should be

-z "-configfile /zap/wrk/options.prop"

https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/#specifying-values

[Krishi Bagri]

I tried what you told me to change. It generates the same report as it was generated earlier, seems like authentication is not getting mounted. Also, I guess "configfile" is to be used with the -c option, and in the last line, the document says to put -z and then use the options.prop file as -z "-config aaa=bbb -config ccc=ddd"

https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/#command-line-options

[kingthorin+zap]

-c is a different config file. Search the page for options.prop and you'll see the appropriate examples.

[Krishi Bagri]

I was not able to find any such page. Can you pin it up here?

[kingthorin+zap]

The one I linked a few messages ago.

[Krishi Bagri]

Okay understood. Also, I would like to know if there is a way to limit the number of requests sent using the CLI?

[Krishi Bagri]

I tried the changes that you have specified. but it results to the same thing. No change in the report I still have 401 response code 

[Simon Bennetts]

For anything related to authentication then the place to start is https://www.zaproxy.org/docs/authentication/

If you still have problems then you will need to tell us what you tried and what the results were - we are not telepathic or all-knowing :)

Cheers,

Simon