I am trying to authenticate to my API to perform some passive/active scan using OWASP ZAP.
I don't have any Swagger or OpenAPI specification, but I have some HTTP tests (Javascript) that might help. However, I can not figure out to authenticate to my API with ZAP.
Ideally I would like to automate the scan given some specs (in whatever format ZAP understands, but not automatic tools like OpenAPI Swagger), a URL entry-point and username/password, but I am stuck with more fundamental steps like the authentication.
I've been following this guide: https://www.zaproxy.org/docs/desktop/ui/dialogs/session/context-auth/
I added a username/password pair in Session > Contexts > Default Context > Users:
I then provided the details about the authentication API endpoint in Sessio > Context > Default Context > Authentication:
I made sure the button is pushed for "Forced User Mode enabled" (see the red circle in the previous screenshot on the "user details".
Then I right clicked on my "Default Context" (I created this with this name, nothing to do with ZAP terminology, it's just a ZAP Context) and clicked on "Active Scan".
Then I clicked on the button "Start Scan" from the pop-up window after the right click.
Then nothing happens. I don't see anything moving or logging or blinking.
- How do I authenticate to my API with OWASP ZAP?
- How do I reuse the JWT token to be used in other HTTP requests as an header?
- Is there a way I could mime what I do in the HTTP integration tests to let ZAP discover issues with HTTP paths, HTTP query parameters and so on?
- How can I export the above into a script I could invoke from the command line?
EDIT 1
This is not a website with HTML or a webapp. This is just a REST API via HTTPS with requests/responses, paths, query parameters and headers.
The "Include Context" does not contain any URL. However I just tried again adding the URL I specified in the "Authentication" menu, then tried again with the "Active Scan" and nothing happens.
The login/logout regex in "Authentication" were not containing anything because there is no such "logout" - the JWT token just expires and the request to any API endpoint is not valid any more. Anyway I added the HTTP path (not the protocol or the domain/host, just the path without any /) for the "login" URL to both the regex fields in the form on ZAP. Then tried again "Active Scan" and nothing happens.
- What is this "Active Scan" supposed to do? Do I have to provide all the valid paths? What about the query parameters?
- How can I obtain the JWT token from the "login" API endpoint (it's not a webpage), and reuse it as an HTTP header during the scan?
- How do I passively scan any endpoint starting from e.g. the "login" API endpoint (again - not a webpage, just a REST endpoint).
EDIT 2
I am using ZAP 2.9.0 via snap
on Linux, there is no other version available:
$ snap find zaproxy
Name Version Publisher Notes Summary
zaproxy 2.9.0 psiinon classic OWASP ZAP, a tool for finding vulnerabilities in web applications
$ snap install zaproxy --classic
zaproxy 2.9.0 from Simon Bennetts (psiinon) installed
EDIT 3
I added this regex https?:\/\/example.org\/.*
(with my host, not "example") to:
- the "Include in Context" menu item
- the "Authentication" menu item in both "login" and "logout" regex patterns.
Then tried again the "Active Scan": nothing happens - no output in the tabs on the lower part of the window, no logs, no blinking semaphores.