Closed AlBellom closed 3 weeks ago
This should work, although I havnt checked the details. FYI the auth env vars are probably a better solution for this usecase: https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/#authentication-env-vars
Wire log using the provided option.prop
file:
http-outgoing-0 >> "Authorization: Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[\r][\n]"
I don't see a newline there.
@thc202 Do you get that log entry on your server? I use a proxy to look at requests. The proxy shows that there is a newline after the Bearer string. This is consistent with the API not being able to authenticate the requests coming from ZAP.
That log is what's being sent to the server, but to clear any doubts just tried again with https://httpbin.org/headers
and see the same:
{
"headers": {
"Accept": "application/json",
"Authorization": "Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"Cache-Control": "no-cache",
"Host": "httpbin.org",
"Pragma": "no-cache",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:125.0) Gecko/20100101 Firefox/125.0",
"X-Amzn-Trace-Id": "Root=1-12345"
}
}
No newline in the Authorization header (now using the latest info in the issue).
I don't know that proxy but that just looks like plain word wrapping not a newline in the header, did you make sure the token is correct? Maybe it's failing because it's no longer valid (though it might well be other reason).
Closing, the replacer seems to be working correctly, feel free to leave a comment if you can provide the steps to reproduce it.
There is bug in Proxyman that cause the Authentication header to display incorrectly when the length of the token exceeds what can be shown on one line. It is not obvious with an auth token, give its length, as the Proxyman window can be extended so much. Proxyman arbitrarily breaks the line after the string Bearer
even if there is no newline
.
Describe the bug
I am running
owasp/zap2docker-stable
to test APIs. It appears that ZAP creates an incorrectAuthorization
header under certain circumstances.This is the content of the
option.prop
file that causes ZAP to generate an incorrect header:The resulting header is:
There is
newline
after the stringBearer
.The following is the content of the option.prop file for which ZAP generates a correct header. I arbitrary shorten the token.
The resulting header is:
Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
It looks like ZAP insert a newline if the replacement string is longer than a certain value.
Steps to reproduce the behavior
option.prop
file:newline
:Note: I cannot provide the Swagger file, however any Swagger file would work.
Expected behavior
The generated Authorization header should not contain a
newline
:Software versions
owasp/zap2docker-stable
Screenshots
No response
Errors from the zap.log file
No response
Additional context
No response
Would you like to help fix this issue?