英文:
OWASP ZAP Form-based Authentication does not send Autorization HTTP header in active scan
问题
我正在使用OWASP ZAP来扫描我的API。我已经按照设置OAuth2身份验证的所有步骤进行了操作。但是当我启动主动扫描时,请求仍然不包含令牌。授权标头丢失。
我的设置屏幕截图如下:
定义了用户
将会话管理设置为HTTP身份验证:
我的拼图中可能还有一些缺失的部分,欢迎任何建议。
英文:
I am using OWASP ZAP to scan my API. I have followed all steps to set up the OAuth2 authentication. But when I start an active scan, the requests still do not contain the bearer token. The Authorization header is missing.
The screenshots of my setup are bellow.
I went through the list of steps to set up the Forms Based Authentication:
Defined the user
Set the Session Management to HTTP Authentication:
There's probably some missing piece in my puzzle, any advice is welcome.
答案1
得分: 1
您选择了错误的会话管理类型。如果您正在执行基本认证或摘要认证,应选择HTTP身份验证会话管理。
对于您的情况,您需要选择基于脚本的 方法,并设置类似于以下内容:https://github.com/zaproxy/community-scripts/blob/main/session/Juice%20Shop%20Session%20Management.js
其他选项,如环境变量,详细信息请参考:
https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
英文:
You've selected the wrong type of Session Management. It would be HTTP Authentication Session Management if you were doing Basic or Digest auth.
For your scenario you'd need to select Script-based and setup something like: https://github.com/zaproxy/community-scripts/blob/main/session/Juice%20Shop%20Session%20Management.js
Other options like env vars are outlined here:
https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论