admin管理员组

文章数量:1336632

I'm using OWASP ZAP to scan an API, and I've successfully imported the OpenAPI definition. However, I'm struggling to configure the Authorization header (specifically for a JWT token) so that it is included in all requests sent by ZAP.

What I've Tried:
I added a Script-Based Authentication method and wrote a script to include the Authorization: Bearer header. I verified that the script is loaded correctly in the Scripts tab under the Authentication section. I configured the script in the Session Properties -> Authentication panel for the context.

Even after setting this up, the requests sent by ZAP do not include the Authorization header. I'm currently using the the authentication default template to try to debug.

I'm using OWASP ZAP to scan an API, and I've successfully imported the OpenAPI definition. However, I'm struggling to configure the Authorization header (specifically for a JWT token) so that it is included in all requests sent by ZAP.

What I've Tried:
I added a Script-Based Authentication method and wrote a script to include the Authorization: Bearer header. I verified that the script is loaded correctly in the Scripts tab under the Authentication section. I configured the script in the Session Properties -> Authentication panel for the context.

Even after setting this up, the requests sent by ZAP do not include the Authorization header. I'm currently using the the authentication default template to try to debug.

  • security
  • jython
  • zap
Share Improve this question edited Nov 19, 2024 at 22:53 Brian Tompsett - 汤莱恩 5,89372 gold badges61 silver badges133 bronze badges asked Nov 19, 2024 at 16:34 Andre LuisAndre Luis 1
Add a comment  | 

1 Answer 1

Reset to default 1

If you want to just include a specific header then use the Authentication Env Vars:

ZAP_AUTH_HEADER_VALUE - if this is defined then its value will be added as a header to all of the requests
ZAP_AUTH_HEADER - if this is defined then its value will be used as the header name - if it is not defined then the standard Authorization header will be used
ZAP_AUTH_HEADER_SITE - if this is defined then the header will only be included in sites whose name includes its value

For anything else start with the ZAP docs: https://www.zaproxy./docs/authentication/

本文标签: securityHow to Add Authorization Header for API Scanning in OWASP ZAP with OpenAPIStack Overflow

版权声明:本文标题:security - How to Add Authorization Header for API Scanning in OWASP ZAP with OpenAPI? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742413000a2470162.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。