How to pass session-id and session-token to each requests imported by openapi

Rahul Srivastava

unread,

May 9, 2024, 7:55:32 AM5/9/24

to ZAP User Group

I imported my swagger JSON using the openapi job and got the following report.

It seems it does a passive scan and gives me alerts, I don't have any other scans configured in my YAML file.

Now if you see in the image below there are 222 requests which gave a bad response and probably because of the authentication not configured.

My question is, if you can see in the last image, sessionsid and session token is passed as the header value for authentication, how can I pass that through my yaml file.

My next question also is that if I want to run active scan, will I able to use the same suggested answer for this one too?

Thanks much for the help

env:
  contexts:
    - name: "myapi"
      urls:
        - "https://wwww"
      includePaths:
        - "https://wwww.*"
      excludePaths: []
      authentication:
        parameters: {}
      sessionManagement:
        method: "cookie"
        parameters: {}
  parameters:
    failOnError: true
    failOnWarning: true
    progressToStdout: true
  vars: {}

jobs:
  - type: "openapi"
    parameters:
      apiFile: ""
      apiUrl: "https://www/system/swagger.json"
      targetUrl: "https://wwwserver/system"
    name: "openapi"
    tests:
      - onFail: "ERROR"
        statistic: "openapi.urls.added"
        site: ""
        operator: ">"
        value: 50
        name: "openapi/stats"
        type: "stats"

  - type: report
    parameters:
      template: "traditional-html-plus"
      reportDir: "."
      reportTitle: "ZAP Report"
      reportDescription: "This is an automated ZAP report."