Scanning APIs with ZAP Docker image – replacer with regex

  docker, owasp, regex, zap

I’m trying to use API scanner Docker image as described here: https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/ and I want to do some requests replacement using regexp. I’m using command:

docker run -v $(pwd):/zap/wrk/:rw --network=host -t owasp/zap2docker-weekly zap-api-scan.py --hook=/zap/wrk/authentication-hooks.py -t docs/openapi.yaml -f openapi  -w output/oppenapi.md -z "-configfile /zap/wrk/zapproxy.prop" -d

with "zapproxy.prop":

replacer.full_list(0).description=customerId
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER_STR
replacer.full_list(0).matchstr=/api/customers/d+
replacer.full_list(0).regex=true
replacer.full_list(0).replacement=/api/customers/1

and the replacement doesn’t work for URL I want to modify: GET /api/customers/10. The same rule used via GUI works just fine.

I’ve also tried:

replacer.full_list(0).description=customerId
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER_STR
replacer.full_list(0).matchstr=/api/customers/10
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=/api/customers/1

it also works fine.

Simon Bennetts suggested to check how GUI saves those settings: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/. As you can see – there aren’t any esacapes in mastchstr.

enter image description here

Is there something that I need to do to pass this regex correctly?

Source: Docker Questions

LEAVE A COMMENT