Closed wurstbrot closed 5 years ago
The replacer-plugin is not working in my test cases.
I am using current develop docker-image of engine and zap. docker-compose.yml:
version: '3' services: engine: image: securecodebox/engine:develop [...] scanner-webapplication-zap: image: securecodebox/zap:develop [...]
Hashes of images:
tpagel@qui-gon:~/git/securecodebox/secureCodeBox$ docker images | grep "zap\|engine" | grep develop securecodebox/engine develop 22c16fec4827 4 hours ago 171MB securecodebox/zap develop 019df2720f2d 2 weeks ago 559MB
I developed a small test.php to see the header:
<?php $filename="/var/www/html/requests.log"; header("Authorization", "Bearer XYZ"); $content=date("H:i:s") . " URI: " . $_SERVER["REQUEST_URI"] . " Header Authorization: ". header("Authorization") . "\n"; file_put_contents ($filename, $content, FILE_APPEND); echo $content;
You can run it via (test.php in same folder): docker run --rm -p 81:80 -v "$PWD":/var/www/html --name test php:7.2-apache
docker run --rm -p 81:80 -v "$PWD":/var/www/html --name test php:7.2-apache
Run zap via securecodebox via API on the endpoint /box/processes/zap-process according to https://github.com/secureCodeBox/scanner-webapplication-zap/issues/17:
[ { "name": "ZAP test.php Scan", "location": "http://172.17.0.1:81/test.php", "attributes": { "ZAP_BASE_URL": "http://172.17.0.1:81/test.php", "ZAP_SPIDER_MAX_DEPTH": 2, "ZAP_REPLACER_RULES": [ { "matchType":"REQ_HEADER", "description":"Add a special Authentication Header", "matchString":"Authorization", "initiators":"", "matchRegex":"false", "replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l", "enabled":"true"} ] } } ]
I tried it with "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l" in matchString and replacement, but it also didn't work.
Now you can check out requests.log and you will see that the expected Authorization-Header is not there.
With d1d56f17a818436ef2c281ac12f8db1051076452c7345b84bbd7e7ba45d0abef of engine (current develop) it works for me.
The replacer-plugin is not working in my test cases.
I am using current develop docker-image of engine and zap. docker-compose.yml:
Hashes of images:
I developed a small test.php to see the header:
You can run it via (test.php in same folder):
docker run --rm -p 81:80 -v "$PWD":/var/www/html --name test php:7.2-apache
Run zap via securecodebox via API on the endpoint /box/processes/zap-process according to https://github.com/secureCodeBox/scanner-webapplication-zap/issues/17:
I tried it with "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l" in matchString and replacement, but it also didn't work.
Now you can check out requests.log and you will see that the expected Authorization-Header is not there.