I am trying to do an Active Scan on Swagger API (OpenAPI) definitions of an application using OWASP ZAP. Basically, I need to test the application's API endpoints using an automated tool (other than manual of course) since it will take a lot of time testing it manually with different payloads and a large API. I have configured ZAP context before doing an active scan, loaded the API definitions from URL/file and then in the context made sure it has selected the correct user's credentials. I have tested a few web and mobile applications that it works perfectly with ZAP, but I noticed that if the application is using a custom kind of authentication instead of the usual HTTP header Authorization: Bearer: <token>, ZAP wasn't able to do authentication even if the context and settings are correct. This results to ZAP just sending payloads to pages that need authentication, causing mostly HTTP Error 4xx and having junk results. Example of that header is CustomizedAppTokenHeader: <token>.
Does anyone have any idea if ZAP is capable of doing an Active Scan of an application with custom authentication headers for authentication tokens? I was thinking this is the culprit of not having good ZAP scan results. For more info about authentication schemes, https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Authentication_schemes.
Any info would be much appreciated as I have been searching a lot about this issue. I badly need help on this.
