1

I am trying to conducting an API scan using Zap Docker image, despite passing authentication configurations, authenticated endpoints return 404/403 errors. Unauthenticated endpoints scan correctly. The issue pertains to ensuring authentication during the scan process. Both OpenAPI definition and configuration files are appropriately provided in the Docker image. However, it's unclear why authentication fails for specific endpoints.

I'm currently trying to conduct an API scan using the Zap (open-source tool) Docker image by passing the Swagger file of an API via the command prompt and generating a report. Here's the command I used:

docker run -v {pwd}:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t openapi.json -f openapi -z "-config /zap/wrk/options.prop" -r report_html.html

In the ‘openapi.json’ file, I passed the OpenAPI definition of GitHub, and the ‘options.prop’ file contains:

-config replacer.full_list(0).description=AuthHeader
-config replacer.full_list(0).enabled=true
-config replacer.full_list(0).matchtype=REQ_HEADER
-config replacer.full_list(0).matchstr=Authorization
-config replacer.full_list(0).regex=false
-config replacer.full_list(0).replacement=Bearer MyToken

I've placed both the OpenAPI definition and the ‘options.prop’ file in one directory (referred to as ‘{pwd}’), which is then mounted in the Docker image.

The scan does generate a report as output, but I noticed that it's scanning requests that don't require authentication. For endpoints that do require authentication, the scan returns status codes of 404 and 403.

I also tried sending a individual endpoint that needed authentication using the below command where users is your username in github and repo_name is the private repository:

docker run --rm -v "%cd%":/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:weekly zap-api-scan.py -t https://api.github.com/repos/users/repo_name/languages -f openapi -z "-configfile /zap/wrk/options.prop" -r report01.html

When using zaps docker image to perform the scan ,the report generated consists of 403 errors as shown below

I also tested the endpoint and auth token on postman to ensure they were wokring fine,and they were working as expected.

I'm struggling to figure out what's going wrong and how I can correct it to perform an authenticated API scan.

Not sure if zap is not picking up the auth token from the options.prop file , or github has some restrictions on the endpoints. If github does have some restrictions , is there any other API that i could use to carry out testing via Zap's docker image?

Any help or insights would be greatly appreciated!

Improve this question

1 Answer 1

Reset to default
1

Have you checked out the ZAP Authentication Decision Tree? https://www.zaproxy.org/docs/authentication/

If not start there. It should allow you to work out the best option for you. If you still have problems then the ZAP User Group is the best place to ask for more detailed help.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.