Auth header data in open api scan - how to add
38 views
Skip to first unread message
Kanchan Kumar Jha
Sep 6, 2021, 8:26:47 AM9/6/21
to OWASP ZAP User Group
Hello Everyone.
Need help with this usecase. we have enabled few open API in our product. now need to scan using zap (UI/CLI anything)
the authentication details goes as part of header as username/password with basic auth, how do we parse this in zap?
"import open api definition from ... " doesnt have provision for auth headers.
thanks.
-Kanchan
thc...@gmail.com
Sep 6, 2021, 9:24:48 AM9/6/21
to zaprox...@googlegroups.com
Hi.
Authentication is defined separately:
https://www.zaproxy.org/docs/desktop/start/features/authentication/
For your use case "Authentication Header Environmental Variables" might
be the easiest.
Best regards.
Authentication is defined separately:
https://www.zaproxy.org/docs/desktop/start/features/authentication/
For your use case "Authentication Header Environmental Variables" might
be the easiest.
Best regards.
Kanchan Kumar Jha
Sep 16, 2021, 8:25:17 AM9/16/21
to OWASP ZAP User Group
found the solution. we can use replacer:
the replacement value should be BASE10 of user and password. can be taken from Postman api.
-config replacer.full_list\\(0\\).description=auth1 \
-config replacer.full_list\\(0\\).enabled=true \
-config replacer.full_list\\(0\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(0\\).matchstr=Authorization \
-config replacer.full_list\\(0\\).regex=false \
-config replacer.full_list\\(0\\).replacement=123456789 \
the replacement value should be BASE10 of user and password. can be taken from Postman api.
Reply all
Reply to author
Forward
0 new messages