When sending a JWT token with an Authorization header, the scanner doesn't send out any requests

[yaakov123]

To Reproduce Steps to reproduce the behavior:

1. Create a request with an authorization header with a valid token - Authorization: Bearer xxxxxxx
2. Run an active scan
3. Notice how no requests are being sent out

[preetkaran20]

This issue is because of the way the Header Variant of ZAP works, where the header variant doesn't allow to inject payload in Authorization header (and some of the others) as for scan rules like SQL etc there is no need for injecting the payload in the authorization header. However, in the case of JWT scan rule auth header becomes very important. Code: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/core/scanner/VariantHeader.java#L107-L108

@psiinon @thc202 @kingthorin how do we handle such use cases for other scan rules? Do we need to add a way to handle these special usecases?

thanks, Karan

[preetkaran20]

Detailed email conversation: Gmail - Regarding the JWT Zap Scanner.pdf

[thc202]

If an (AbstractAppParamPlugin) scan rule needs to scan an excluded header it should do so by overriding the scan() method.

[preetkaran20]

Hi @thc202,

oh ok, then I need to move the code of scan method into the JWT Scan rule and then manipulate the paramlist of headerVariant, right?

thanks, Karan

[thc202]

I was thinking that it would "manually" check for the header and attack it. Since the scan rule is relying on NameValuePair for the scan you could override scan(List<NameValuePair>) and call the base method with a copy of that list plus the Authorization header (if present) when they are of the header type.

[preetkaran20]

hmm yeah, that makes sense.

[preetkaran20]

PR to fix the issue: https://github.com/SasanLabs/owasp-zap-jwt-addon/pull/32

[preetkaran20]

Merged the PR, Now waiting for the release of the addon: https://github.com/zaproxy/zaproxy/issues/7028

[preetkaran20]

Hi @yaakov123

The newer version of addon is available in market place with this issue's fix. Please try it out.

Thanks, Karan

[Kemosabert]

Hey @preetkaran20 👋

I am encountering the same issue with a test app that I've set up for exactly this integration. I am on the latest version of both the owasp zap client (2.14.0) as well as the addon (1.0.3). I see that the addon is available and active in the progress overview, but it does not seem to do any requests while in the request inspector I can see the JWT's being sent in the Authorization header and cookies.

Could you help me out? I can of course deliver any screenshots/logs you need to assist :)

Thanks in advance!

[preetkaran20]

@Kemosabert can you please share curl request for which it is failing?