Glue Does Not Send Api Key to Zap In Header #154
Description
Hey,
Summary
Trying to use the Glue task for ZAP as the next stage in my security testing pipeline however I am coming across an issue which seems to kill it.
Issue Found
Glue sends the API key to Zap as an HTTP query parameter instead of in the header which it expects. This causes Zap to throw an error like this:
Provided parameter has illegal or unrecognized value (illegal_parameter) : &apikey=myapikey&contextName=b67b6ff7-de5b-4094-9cd6-0983cd21ec9c
at org.zaproxy.zap.extension.api.API.getParams(Unknown Source)
at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
Reproduction Steps
Assuming you have Zap version 2.6.0 running in api mode you can recreate this issue using:
docker run -i owasp/glue:raw-latest bin/glue -a my-api --target https://mytarget.net -t zap --zap-host http://0.0.0.0 --zap-port 8090 --zap-api-token myapikey
Which will cause a log output of:
Loading scanner...
Logfile nil?
calling scan
Running scanner
Mounting https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Mounted https://mytarget.net with #<Glue::URLMounter:0x0000564b7ece0160>
Processing target...https://mytarget.net
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file
Running tasks in stage: code
Running tasks in stage: live
live - Zap - #<Set:0x0000564b7f95a850>
Running tasks in stage: done
Running base report...
Running ZAP on: https://mytarget.net from http://0.0.0.0:8090 with b67b6ff7-de5b-4094-9cd6-0983cd21ec9c
At this stage, the process dies due to the request sent to Zap including the Zap API Key in HTTP query param instead of the header.
Docker Image Versions Used
Zap: owasp/zap2docker-bare:2.6.0
Glue: owasp/glue:raw-latest
If there is any more info I can provide to help figure the issue out let me know.