OWASP ZAP API scan token authentication issue

[Zfk Zfk]

Hello,

I'm testing API scan locally using Docker ZAP stable image and when it's successful I would then to implement it in Azure Pipeline.
I have problem with authenticating using valid token that is previously testen on Swagger.

I've pulled zap2docker-stable image and create wrk directory inside container.
docker run --rm -it -p 80:80 owasp/zap2docker-stable

I've created options.prop file.
replacer.full_list(0).description=auth
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer TOKEN

I've run command inside container including options.prop file but I've got 401.
zap-api-scan.py -t https://domain.net/service/v1/languages -f openapi -g gen.conf -r report.html -I -x governreport.xml -z "-configfile /zap/wrk/options.prop"

From Azure Portal I've downloaded OpenAPI v3 JSON file and tried to scan it as target but I've also got 401.

I've also tried in options.prop file following with and without Bearer.
replacer.full_list(0).description=auth
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer TOKEN

replacer.full_list(0).description=auth \
replacer.full_list(0).enabled=true \
replacer.full_list(0).matchtype=REQ_HEADER \
replacer.full_list(0).matchstr=Authorization \
replacer.full_list(0).regex=false \
replacer.full_list(0).replacement=Bearer TOKEN

-config replacer.full_list\\(1\\).description=auth \
-config replacer.full_list\\(1\\).enabled=true \  
-config replacer.full_list\\(1\\).matchtype=REQ_HEADER \  
-config replacer.full_list\\(1\\).matchstr=Authorization \  
-config replacer.full_list\\(1\\).regex=false \  
-config replacer.full_list\\(1\\).replacement=Bearer TOKEN

-config 'replacer.full_list\\(1\\).description=auth' \
-config 'replacer.full_list\\(1\\).enabled=true' \  
-config 'replacer.full_list\\(1\\).matchtype=REQ_HEADER' \  
-config 'replacer.full_list\\(1\\).matchstr=Authorization' \  
-config 'replacer.full_list\\(1\\).regex=false' \  
-config 'replacer.full_list\\(1\\).replacement=Bearer TOKEN'

I've also tried in command form.
zap-api-scan.py -t 'https://domain.net/service/v1/languages' -f openapi -z "-config 'replacer.full_list\(0\).description=auth1' -config 'replacer.full_list\(0\).enabled=true' -config 'replacer.full_list\(0\).matchtype=REQ_HEADER' -config 'replacer.full_list\(0\).matchstr=X-Auth-Token' -config 'replacer.full_list\(0\).regex=false' -config 'replacer.full_list\(0\).replacement=Bearer TOKEN'"
zap-api-scan.py -t 'https://domain.net/service/v1/languages' -f openapi -z "-config 'replacer.full_list\(0\).description=auth1' -config 'replacer.full_list\(0\).enabled=true' -config 'replacer.full_list\(0\).matchtype=REQ_HEADER' -config 'replacer.full_list\(0\).matchstr=Authorization' -config 'replacer.full_list\(0\).regex=false' -config 'replacer.full_list\(0\).replacement=Bearer TOKEN'"

Please help.

Thanks in advance.

[Simon Bennetts]

If its just one header you need to add then the easiest option is to use env vars: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

Cheers,

Simon

[Zfk Zfk]

HI Simon

Thank you for reply and explanation.

Can I do it like this?
zap-api-scan.py -t 'https://domain.net/service/v1/languages -f openapi -g gen.conf -r report.html -I -x governreport.xml -z "-config ZAP_AUTH_HEADER_VALUE=Bearer TOKEN"

Thanks in advance.

Best Regards