Basic Authorization in Zapproxy API

0
votes

I have this curl to call an api:

curl -X POST -u user:password /to/the/end/point

And if i get the request with zapproxy i can send this and do an active attack, but i am trying this calling to the python api. I cant authenticate using basic authorization (base64 or user:password). I am trying creating a context with the gui and export and using it with zap-api-scan.py, but it dont work.

I have already read these post:

https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html

Basic Authorization in OWASP ZAP

https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication#httpntlm-authentication

But I have not found the solution.

Please can you help me?

Thanks.

1
apiauthenticationowaspzapzapproxy
Have you set it up in the GUI to start with? I just knocked together basic auth with xampp like this: chandanpatra.blogspot.com/2013/08/… and then configured "HTTP/NTLM Authentication" in a ZAP context and created a user under the context's "Users" panel.... worked fine: Spider, Active Scan, whatever... Also note when ZAP is running you can access the API via a browser to figure out what calls you might need to make and what params they take.kingthorin
yes, I have tried but I think I do not select the correct options well. In Authetication I select HTTP / NTLM Authentication but I do not know what to put in the fields.Pan conPan
Define your context (by setting the include in context regex(es)). Setup authentication in the Authentication panel select "HTTP/NTLM Authentication" enter the hostname and port (for the host which will require authentication....localhost 80 or www.example.org 443 or whatever). Goto the Users panel and create a user (name it whatever you like, enter the username and password used for basic auth).kingthorin
ok!! i have a context that work in the gui but when i export and use it with the zap-api-scan.py in the docker dont work: ./zap-api-scan.py -t target/to/end/point -f openapi -n /file/contextPan conPan
Could you be more specific than "don't work "? Is there an error? Does it fail to import? Etckingthorin

1 Answers

0
votes

I have this but dont work, dont import the context:

#!/usr/bin/env python

from zapv2 import ZAPv2


target = 'https://target/to/api'

zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8888', 'https': 'http://127.0.0.1:8888'})

zap.context.import_context("/file/context")

print 'Accessing target %s' % target
zap.urlopen(target)
time.sleep(2)

print 'Spidering target %s' % target
scanid = zap.spider.scan(target)

time.sleep(2)

print 'Spider completed'

time.sleep(5)

print 'Scanning target %s' % target
scanid = zap.ascan.scan(target)

print 'Scan completed'