Hi guys,
Ran into a small road block. Any help would be appreciated.
1. What I am trying to achieve :
I have a web application that uses Okta for sign in.
Once a user enters their Okta creds, Okta generates a session token which is sent to my application that responds with the the application session token in response body.
I want to extract this token and ask ZAP to use this to run authenticated scans.
Now this session token needs to be sent as a request header.
2. What I currently have :
I wrote an ECMA script to replicate the Okta login flow. This ECMA script is being used as an Authentication script for my context.
I am able to make a call to the application with the Okta token and I get a valid application session token in response body.
So now I have the session token that ZAP needs to send (as auth header) to run authenticated scans.
3. Road block :
Now I am stuck coz I don't know how I need to ask ZAP to use that session token to run authenticated scans.
Do I need to configure it in the context?
How do I pass the token from my ECMA script to the context? like what needs to be returned?
Any follow up questions are welcome.