Initially I tried authenticating API's through ZAP UI. I have a folder structure which has
Context, wrk->script->authentication->bearer-token.js, wrk ->script->httpsender->header-set-bearer-token.js, wrk ->script->zap_hooks.py.
While authenticating, I selected ScriptBasedAuthentication and loaded script bearer-token.js, Provided Token Provider URL, API Key and grantType provided in bearer-token.js. Imported the Swagger.json and ran Active Scan.
Everything runs fine with ZAP UI.
While trying with ZAP API Scan docker image, I get alert as
A response code of 401 was returned by the server.
This may indicate that the application is failing to handle unexpected input correctly.
Raised by the 'Alert on HTTP Response Code Error' script
All the api's are being scanned but without authenticating it. The command I am running is
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t test.json -f openapi -r api-scan-report.html -z “-config replacer.full_list(0).description=auth1 -config replacer.full_list(0).enabled=true -config replacer.full_list(0).matchtype=REQ_HEADER -config replacer.full_list(0).matchstr=Authorization -config replacer.full_list(0).regex=false -config 'replacer.full_list(0).replacement=Bearer XXXXXXXXXXXXXXXXXXXXXX'”
There is space between "Bearer TokenXXXXX" so I referred this https://github.com/zaproxy/zaproxy/issues/4332#issuecomment-367326344
But it did not work for me. Again the Bearer token is valid only for 5 mins and then it expires.
If I provide --hook=zap_hooks.py, it says Could not find custom hooks file at /zap/zap_hooks.py I am trying this from a week, but no luck. Please help me with how can I authenticate my API's can get rid of 401(Unauthorized)
Please help me with this. Thanks in Advance.
