0

I want to use zap to scan a rest API endpoint which requires Authentication header.

To specify the header I have to right click the request in history tab and add header, however the request without header doesn't even get logged in history tab. How do I specify the request header?

enter image description here

vishesh
  • 2,007
  • 6
  • 32
  • 67
  • Possible duplicate of [Adding authentication in ZAP tool to attack a URL](https://stackoverflow.com/questions/31516420/adding-authentication-in-zap-tool-to-attack-a-url) – Abhijeet Nov 22 '18 at 07:08

2 Answers2

1

You might like to look at this blog post: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html

Basically you can specify new headers via config parameters, eg:

  -config replacer.full_list\(0\).description=auth1 \
  -config replacer.full_list\(0\).enabled=true \
  -config replacer.full_list\(0\).matchtype=REQ_HEADER \
  -config replacer.full_list\(0\).matchstr=Authorization \
  -config replacer.full_list\(0\).regex=false \
  -config replacer.full_list\(0\).replacement=123456789 \
  -config replacer.full_list\(1\).description=auth2 \
  -config replacer.full_list\(1\).enabled=true \
  -config replacer.full_list\(1\).matchtype=REQ_HEADER \
  -config replacer.full_list\(1\).matchstr=AnotherHeader \
  -config replacer.full_list\(1\).regex=false \
  -config replacer.full_list\(1\).replacement=abcdefghi

will cause the following headers to be added to every request ZAP makes:

  Authorization: 123456789
  AnotherHeader: abcdefghi

You can specify as many headers as you need to by using incrementing indexes.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • Can you post the command you're using? Have you mounted the directory the config file is in as per https://github.com/zaproxy/zaproxy/wiki/Docker#zap-baseline-scan ? – Simon Bennetts Mar 29 '18 at 13:44
  • Sorry, I deleted my question occasionally. My error was not to use -z " " option – Alex Mar 29 '18 at 13:48
  • I cannot find a way how to set header parameters in the ZAP GUI. I tried to find in in History tab as it mentioned above in the question but without success. Could you advise how to set header parameters in GUI? – Alex Mar 29 '18 at 13:55
  • In the GUI you use Options / Replacer - see https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer for more details – Simon Bennetts Mar 31 '18 at 09:16
0

Step 1:

Open/Resend with Request Editor

Step 2: Edit the request & replay the request.

Edit the request

Abhijeet
  • 8,561
  • 5
  • 70
  • 76