search

secureCodeBox / scanner-webapplication-zap

Part of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2
Apache License 2.0
5 stars 4 forks source link

Zap-Replacer-Plugin not working #27

Closed wurstbrot closed 5 years ago

wurstbrot commented 5 years ago

The replacer-plugin is not working in my test cases.

I am using current develop docker-image of engine and zap. docker-compose.yml:

version: '3'
services:
  engine:
    image: securecodebox/engine:develop
[...]
  scanner-webapplication-zap:
      image: securecodebox/zap:develop
[...]

Hashes of images:

tpagel@qui-gon:~/git/securecodebox/secureCodeBox$ docker images | grep "zap\|engine" | grep develop
securecodebox/engine                                develop             22c16fec4827        4 hours ago         171MB
securecodebox/zap                                   develop             019df2720f2d        2 weeks ago         559MB

I developed a small test.php to see the header:

<?php
$filename="/var/www/html/requests.log";
header("Authorization", "Bearer XYZ"); 
$content=date("H:i:s") . " URI: " . $_SERVER["REQUEST_URI"] . " Header Authorization: ". header("Authorization") . "\n";
file_put_contents ($filename, $content, FILE_APPEND);
echo $content;

You can run it via (test.php in same folder): docker run --rm -p 81:80 -v "$PWD":/var/www/html --name test php:7.2-apache

Run zap via securecodebox via API on the endpoint /box/processes/zap-process according to https://github.com/secureCodeBox/scanner-webapplication-zap/issues/17:

[
   {
       "name": "ZAP test.php Scan",
       "location": "http://172.17.0.1:81/test.php",
       "attributes": {
           "ZAP_BASE_URL": "http://172.17.0.1:81/test.php",
           "ZAP_SPIDER_MAX_DEPTH": 2,
           "ZAP_REPLACER_RULES":
            [
                { "matchType":"REQ_HEADER",
                  "description":"Add a special Authentication Header",
                  "matchString":"Authorization",
                  "initiators":"",
                  "matchRegex":"false",
                  "replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
                  "enabled":"true"}
           ]
       }
   }
]

I tried it with "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l" in matchString and replacement, but it also didn't work.

Now you can check out requests.log and you will see that the expected Authorization-Header is not there.

wurstbrot commented 5 years ago

With d1d56f17a818436ef2c281ac12f8db1051076452c7345b84bbd7e7ba45d0abef of engine (current develop) it works for me.