ZAP Dockerized API Scan w Auth
341 views
Skip to first unread message
Yuvraj Chauhan
Jul 16, 2021, 6:18:52 PM7/16/21
to OWASP ZAP User Group
Hi All,
I am new to ZAP. I know how to get the dockerized ZAP container running on Linux (this is the system I am using to run the ZAP Docker container). I aim to do Authentication using the ZAP Docker container but am unsure of how I can do this.
Here are the points I need clarification in:
1. How can I use scan hooks to do auth? (I plan to call my API and retrieve the access token within scan-hooks.py so that I can add a header to each ZAP API request with "Authorization" : "Bearer <insert token>". Please kindly let me know what the exact commands are. Thank you!)
2. I want to run the API Scan on a list of URLs because when I set the -f openapi flag on the target URL (let's say -t http://localhost:5000/main), ZAP is scanning all the WRONG URLs and getting a 404 error (note that my API follows OpenAPI specification). How can I specify a list of URLs and the method (POST / PUT / GET / DELETE) using the scan hooks?
Thank you!!!
thc...@gmail.com
Jul 19, 2021, 4:17:47 AM7/19/21
to zaprox...@googlegroups.com
Hi.
1. You can use env vars to set the authentication header:
https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars
2. Is the target running in the container? You need to use other address
than localhost, more details about the issue you are having would be
appreciated.
Best regards.
1. You can use env vars to set the authentication header:
https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars
2. Is the target running in the container? You need to use other address
than localhost, more details about the issue you are having would be
appreciated.
Best regards.
Yuvraj Chauhan
Jul 19, 2021, 6:34:42 AM7/19/21
to OWASP ZAP User Group
Hi,
1. Thank you - I will check setting Auth headers when running `docker run --rm --network host -v $(pwd):/zap/wrk/:rw owasp/docker2zap-stable -t zap-api-scan.py http://localhost:3000/app -f openapi -r report.html`
2. Target is running locally using `pipenv` and as seen in the command above I am using docker's `--network host` flag to connect to the running application I want to scan and I can verify it works. Only thing is I want to scan a specific LIST of URLs using the Dockerized ZAP service on the target app. Do you know how I can tell the Dockerized ZAP service to scan a specific LIST of URLs?
Thank you!
thc...@gmail.com
Jul 19, 2021, 7:20:45 AM7/19/21
to zaprox...@googlegroups.com
You could use scan hooks to configure and scan a context (including just
the URLs you want), I think.
https://www.zaproxy.org/docs/docker/scan-hooks/
You could also use the Automation Framework, which should be more
straightforward to configure/use than the hooks.
https://www.zaproxy.org/docs/automate/automation-framework/
Best regards.
the URLs you want), I think.
https://www.zaproxy.org/docs/docker/scan-hooks/
You could also use the Automation Framework, which should be more
straightforward to configure/use than the hooks.
https://www.zaproxy.org/docs/automate/automation-framework/
Best regards.
Yuvraj Chauhan
Jul 20, 2021, 12:18:15 AM7/20/21
to OWASP ZAP User Group
I still don't get how to scan a list of URLs from a Dockerized OWASP ZAP container. Do you mind sharing relevant screenshots of what could help? Thanks!
Reply all
Reply to author
Forward
0 new messages