Zap config file with replacer
631 views
Skip to first unread message
Dimension Guy
Apr 4, 2023, 11:14:00 AM4/4/23
to OWASP ZAP User Group
Hi Team,
I'm using replace in zap config to use header in full scan. I'm running the command like this,
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com/applications -c conf -r testreport.html
where "conf" is the configuration file. Like this,
replacer.full_list(0).description=Authorization
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement="Bearer awdawdawdadawdawda"
replacer.full_list(1).description=Cookie
replacer.full_list(1).enabled=true
replacer.full_list(1).matchtype=REQ_HEADER
replacer.full_list(1).matchstr=Cookie
replacer.full_list(1).regex=false
replacer.full_list(1).replacement="a.hin7iYWua6JqE2oMVcCVZXBPr5M1xAisoiLCe3b5y_8"
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement="Bearer awdawdawdadawdawda"
replacer.full_list(1).description=Cookie
replacer.full_list(1).enabled=true
replacer.full_list(1).matchtype=REQ_HEADER
replacer.full_list(1).matchstr=Cookie
replacer.full_list(1).regex=false
replacer.full_list(1).replacement="a.hin7iYWua6JqE2oMVcCVZXBPr5M1xAisoiLCe3b5y_8"
For which I'm getting that config file is wrong (To be extact, the error is "2023-04-04 15:08:04,074 Failed to load config file /zap/wrk/conf not enough values to unpack (expected 3, got 1)" ). Not really sure what is wrong here.
Simon Bennetts
Apr 4, 2023, 11:20:07 AM4/4/23
to OWASP ZAP User Group
Hiya,
You are using the wrong command line options for the config file :)
The packaged scans have their own config format: see https://www.zaproxy.org/docs/docker/full-scan/ which points to https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file
You need to tell ZAP to use this config file, not the zap-full-scan script.
So you should specify something like:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com/applications -r testreport.html -z "-configfile conf"
Does that make sense?
Cheers,
Simon
Dimension Guy
Apr 4, 2023, 11:41:10 AM4/4/23
to OWASP ZAP User Group
Thanks, For the follow up. Is there a way I can load this conf file to zap desktop version and check if it's actually working or not ?
Simon Bennetts
Apr 4, 2023, 11:45:08 AM4/4/23
to OWASP ZAP User Group
Yes, that is recommended :)
The command line options are given on https://www.zaproxy.org/docs/desktop/cmdline/
They only work with the zap.sh and zap.bat files - they dont work with zap.exe.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages