Questions on handling authenticated APIs with Postman collection add-on in OWASP ZAP
Ritik Jain
Hi ZAP Team,
I’m currently exploring the Postman Collection add-on in OWASP ZAP to scan authenticated APIs and had a few questions/observations. It would be helpful to understand the intended behavior and recommended approach.
Context
The application uses token-based authentication via the Authorization header (Bearer token). The token is obtained from a login API and expires in ~30 minutes.
1. Token refresh / session handling
Since the token expires periodically:
How does ZAP handle token refresh in such cases where the site tree is derived from requests made from parsing postman collections?
Is there a recommended way to automatically regenerate and inject a fresh token during Importing a postman collection like it is there for context based scans (via scripts, authentication methods, or session management)?
2. Execution of Postman collection scripts (pre-request / test events)
From my observation:
ZAP does not execute Postman collection scripts (such as pre-request or test scripts) since, it donot have postman execution engine. ZAP Import Flow is that it parses the collection JSON and zap makes requests with body/method/headers. And builds site tree.
But in collections, where a login request returns a token in the response and assigns it to a collection variable (e.g., auth_token), which is then reused in subsequent requests. There the Authorization header will be empty always because the postman script did not ran.
Questions:
Is it correct that ZAP ignores these scripts during import/execution?
If yes, what is the recommended way to support for this type of collections in ZAP?
(e.g., extracting tokens from responses and reusing them across requests)
3. Handling of the auth object in Postman collections
Another observation:
ZAP does not seem to parse auth object of request in collection and send the Authorization header defined in the simulated request (e.g., Bearer token configuration).
Questions:
Is this observation expected?
If yes, what is the suggested way to ensure the Authorization header is correctly applied to authenticated API requests? It should be supported in parsing according to a user
Reference Collection
I’ve been using the VAmPI Postman collection as a reference:
I would appreciate guidance on the resolution of the queries/best practices for handling authenticated API scans in such scenarios using ZAP.
Thanks in advance for your help!
Best regards,
Ritik Jain
Simon Bennetts
Ritik Jain
Hi Simon,
Thanks for the clarification and the authentication reference docs.
Also apologies for the misunderstanding regarding the naming — noted, it’s “ZAP” / “ZAP by Checkmarx”.
Understood regarding Postman scripts not being executed during collection import. While exploring this further, I thought of a possible workaround:
Run the Postman collection using Newman CLI with traffic routed through the ZAP proxy.
This way:
Newman executes pre-request/test scripts normally
auth_token and other dynamic variables get populated correctly
Token refresh logic continues to work
ZAP observes the traffic, builds the site tree, and can later perform active scans
This seems like a practical approach for collections that rely heavily on Postman scripting/runtime variables.
Thanks again for the help!
Best regards,
Ritik Jain