Zed Attack Proxy 使用 OAuth 自动扫描 WebApi [英] Zed Attack Proxy automated scanning of WebApi with OAuth

问题描述

我已经配置了 ZAP 2.6，这样它就可以充当 Android 应用程序通过 HTTPS 向 Web 服务发出的请求的代理.身份验证机制是 OAuth 2，因此在我的登录响应中，我获得了一个访问令牌，然后将其发送到所有后续请求标头中，如下所示

I have configured ZAP 2.6 so that it is acting as a proxy for requests from an Android app to a web service over HTTPS. The authentication mechanism is OAuth 2, and so in my login response I get an access token which is then sent in all subsequent request headers as follows

Authorization: Bearer my_long_and_encoded_access_token

是否可以让 ZAP 识别此令牌并在从 ZAP UI 启动的测试中使用它?

Is it possible to get ZAP to recognise this token and use it in tests initiated from the ZAP UI?

我查看了 为 Zed 攻击自动化 OAuth 访问令牌代理扫描，但不要相信这涵盖了我的情况.

I have looked at Automate OAuth access token for Zed Attack Proxy Scans but don't believe this covers my situation.

谢谢.

推荐答案

是的，您可以创建一个脚本来提取此令牌，然后在以后的请求中使用它.如果您需要有关此类脚本的帮助，那么在 ZAP 用户组上询问可能比在此处询问更好；)

Yes, you can create a script which extracts this token and then uses it in future requests. If you need help with such a script then asking on the ZAP User Group might be a better option than asking here ;)

这篇关于Zed Attack Proxy 使用 OAuth 自动扫描 WebApi的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！