TechQA.

Header Based Authentication in Owasp zap

2.4k views Asked by At

I am trying to implement Owasp Zap scan. But I am unable to find script for header authentication

How to add header authentication for the key value pair e.g key =api-key value = 123

    docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap- 
     baseline.py \
      -t https://www.example.com/ProductDetails/v1/details?productId=123456 \
      -I -x governreport.xml \
       -r testreport.html \
      --hook=/zap/auth_hook.py \ 
        -z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \

I am following this article:

docker security azure-pipelines-release-pipeline owasp zap
Original Q&A
2

There are 2 answers

0
mcook42 On

To add the header you want you can include the following options in your -z

  -config replacer.full_list\\(0\\).description=auth1 \  
  -config replacer.full_list\\(0\\).enabled=true \  
  -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \  
  -config replacer.full_list\\(0\\).matchstr=Authorization \  
  -config replacer.full_list\\(0\\).regex=false \  
  -config replacer.full_list\\(0\\).replacement=123456789

So your command would look something like

    docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap- 
 baseline.py \
  -t https://www.example.com/ProductDetails/v1/details?productId=123456 \
  -I -x governreport.xml \
   -r testreport.html \
  --hook=/zap/auth_hook.py \ 
    -z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \
  -config replacer.full_list\\(0\\).description=auth1 \  
  -config replacer.full_list\\(0\\).enabled=true \  
  -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \  
  -config replacer.full_list\\(0\\).matchstr=api-key \  
  -config replacer.full_list\\(0\\).regex=false \  
  -config replacer.full_list\\(0\\).replacement=123

With this you will have the header api-key: 123 added to all of your requests.

Reference: https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/

0
Neeraj Gulia On

Another option if you just need to set the authentication header is to use the Authentication Env Vars

Snippet from the link:
"If your app just needs one authentication token which you can generate outside of ZAP then you can use the ZAP Authentication environmental variables.

There are 3 of these env vars which are documented on the Desktop User Guide Authentication page and reproduced here for completeness:

  • ZAP_AUTH_HEADER_VALUE - if this is defined then its value will be added as a header to all of the requests
  • ZAP_AUTH_HEADER - if this is defined then its value will be used as the header name - if it is not defined then the standard Authorization header will be used
  • ZAP_AUTH_HEADER_SITE - if this is defined then the header will only be included in sites whose name includes its value.

The env vars are standard operating system env vars so how you will need to set them will depend on your OS and possibly your shell. They need to be set before you start ZAP, they cannot be set once ZAP is already running."

Related Questions in DOCKER

Related Questions in SECURITY

Related Questions in AZURE-PIPELINES-RELEASE-PIPELINE

Related Questions in OWASP

Related Questions in ZAP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions