Zed Attack Proxy automated scanning of WebApi with OAuth

About

Asked 5/7, 2017 at 15:35 Answered 5/7, 2017 at 15:47

I have configured ZAP 2.6 so that it is acting as a proxy for requests from an Android app to a web service over HTTPS. The authentication mechanism is OAuth 2, and so in my login response I get an access token which is then sent in all subsequent request headers as follows

Authorization: Bearer my_long_and_encoded_access_token

Is it possible to get ZAP to recognise this token and use it in tests initiated from the ZAP UI?

I have looked at Automate OAuth access token for Zed Attack Proxy Scans but don't believe this covers my situation.

Thanks.

Strunk answered 5/7, 2017 at 15:35 Comment(0)

Yes, you can create a script which extracts this token and then uses it in future requests. If you need help with such a script then asking on the ZAP User Group might be a better option than asking here ;)

Milka answered 5/7, 2017 at 15:47 Comment(3)

Thanks Simon. I knew you were active here and hoped you would answer. Are there plans to support request header tokens it out of the box in the future in the same way that session cookies are? All the videos I can find use a session cookie followed by spidering or fuzzing to show the simplicity of using ZAP. BTW excellent tool, and hats off to you for making it available. – Strunk 6/7, 2017 at 8:0

What sort of support would you like? You can already override any headers you like - see the 'Authentication' section of zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html – Milka 7/7, 2017 at 8:41

H Simon. I hadn't seen this, but probably would have skipped it as it seems to refer to refer to using the command line, and setting hard coded values. I have posted a question groups.google.com/forum/#!topic/zaproxy-users/pQm1FlCcNMI as suggested, and have since made some progress. I'll mark this question as answered, as I found better resources in the ZAP User Group as you suggested. To answer your question I guess I was looking for a Context Authentication option, but having started scripting I can see that it maybe more complex than a dialog with a few fields would allow for. – Strunk 7/7, 2017 at 11:41

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags