Header Based Authentication in Owasp zap

Question

I am trying to implement Owasp Zap scan. But I am unable to find script for header authentication

How to add header authentication for the key value pair e.g key =api-key value = 123

    docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap- 
     baseline.py \
      -t https://www.example.com/ProductDetails/v1/details?productId=123456 \
      -I -x governreport.xml \
       -r testreport.html \
      --hook=/zap/auth_hook.py \ 
        -z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \

I am following this article:

http://www.winkell.co.uk/2019/10/28/zap-security-scanning-in-azure-devops-release-pipelines/

Not familiar with Azure DevOps but I use the [`owasp/zap2docker-stable`](https://hub.docker.com/r/owasp/zap2docker-stable/) images in my pipelines. The headers being set correctly really depends on what the application requires (i.e. I use [`keycloak`](https://www.keycloak.org/) which expects form based authentication to obtain the token) and how that's handled in the [hook](https://www.zaproxy.org/docs/docker/scan-hooks/) (I'm using a custom `zap_started` hook). — masseyb, Sep 29 '20 at 12:53
Not get your latest information, is masseyb's suggestion helpful for you? Or if you have any concern, feel free to share it here. — Walter, Oct 07 '20 at 09:10
@WalterQian-MSFT yes I am still struggling to find a solution — Vakar, Nov 04 '20 at 08:33

score 2 · Answer 1 · answered Jan 29 '21 at 18:56

To add the header you want you can include the following options in your -z

  -config replacer.full_list\\(0\\).description=auth1 \  
  -config replacer.full_list\\(0\\).enabled=true \  
  -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \  
  -config replacer.full_list\\(0\\).matchstr=Authorization \  
  -config replacer.full_list\\(0\\).regex=false \  
  -config replacer.full_list\\(0\\).replacement=123456789

So your command would look something like

    docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap- 
 baseline.py \
  -t https://www.example.com/ProductDetails/v1/details?productId=123456 \
  -I -x governreport.xml \
   -r testreport.html \
  --hook=/zap/auth_hook.py \ 
    -z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \
  -config replacer.full_list\\(0\\).description=auth1 \  
  -config replacer.full_list\\(0\\).enabled=true \  
  -config replacer.full_list\\(0\\).matchtype=REQ_HEADER \  
  -config replacer.full_list\\(0\\).matchstr=api-key \  
  -config replacer.full_list\\(0\\).regex=false \  
  -config replacer.full_list\\(0\\).replacement=123

With this you will have the header api-key: 123 added to all of your requests.

Reference: https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/

score 0 · Answer 2 · answered Apr 11 '23 at 13:37

Another option if you just need to set the authentication header is to use the Authentication Env Vars

Snippet from the link:
"If your app just needs one authentication token which you can generate outside of ZAP then you can use the ZAP Authentication environmental variables.

There are 3 of these env vars which are documented on the Desktop User Guide Authentication page and reproduced here for completeness:

ZAP_AUTH_HEADER_VALUE - if this is defined then its value will be added as a header to all of the requests
ZAP_AUTH_HEADER - if this is defined then its value will be used as the header name - if it is not defined then the standard Authorization header will be used
ZAP_AUTH_HEADER_SITE - if this is defined then the header will only be included in sites whose name includes its value.

The env vars are standard operating system env vars so how you will need to set them will depend on your OS and possibly your shell. They need to be set before you start ZAP, they cannot be set once ZAP is already running."

Header Based Authentication in Owasp zap

2 Answers2