Add Authorization Header

[Bill Butler]

All,

We use a JWT to prove a user is authenticated. As such, I'd like to add this header to ALL scans for a given site. I've attempted several script and template methods. Honestly, I just thought I'd find a place to past it into but it's more in depth than that and I really can't find a tutorial or help area that explains the process. Here is a screen shot of what I've put in place with a Zest Template, but it

s not working. I truncated the Authorization token in the image.

So to sum up, what I need to do is pretty straightforward. I need to send an additional header with every request for every type of scan for a particular server. The header needs to look like this:

"Authorization" : "Bearer oijofewijfoeifoweij"

[Bill Butler]

[Michael Courcy]

Hi 

Use an httpsender script this way with js (sorry but I feel more comfortable with JS than zest)

// compatibility between nashorn and rhino script

if (typeof println !== 'undefined' && typeof println !== 'function' ) {

    var print = function (str) { println(str); }

}else{

    var println = function (str) { print(str); }

}

function sendingRequest(msg, initiator, helper) {

    msg.getRequestHeader().setHeader("myHeaderName","myHeaderValue");

    println(msg.getRequestHeader().toString());

}

function responseReceived(msg, initiator, helper) {

// Debugging can be done using println like this

println('responseReceived called for url=' + msg.getRequestHeader().getURI().toString())

}

This script in my test output

GET http://172.17.0.3/ HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3

Cookie: Drupal.toolbar.collapsed=0; has_js=1

Connection: keep-alive

Cache-Control: max-age=0

Host: 172.17.0.3

Content-Length: 0

myHeaderName: myHeaderValue

responseReceived called for url=http://172.17.0.3/

cheers

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Michael Courcy

[Bill Butler]

Thanks for the response. That worked like charm.

On Thursday, September 17, 2015 at 2:48:15 PM UTC-4, Bill Butler wrote: