Header Based Authentication in Owasp zap - docker

I am trying to implement Owasp Zap scan. But I am unable to find script for header authentication
How to add header authentication for the key value pair e.g key =api-key value = 123
docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-
baseline.py \
-t https://www.example.com/ProductDetails/v1/details?productId=123456 \
-I -x governreport.xml \
-r testreport.html \
--hook=/zap/auth_hook.py \
-z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \
I am following this article:
http://www.winkell.co.uk/2019/10/28/zap-security-scanning-in-azure-devops-release-pipelines/

To add the header you want you can include the following options in your -z
-config replacer.full_list\\(0\\).description=auth1 \
-config replacer.full_list\\(0\\).enabled=true \
-config replacer.full_list\\(0\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(0\\).matchstr=Authorization \
-config replacer.full_list\\(0\\).regex=false \
-config replacer.full_list\\(0\\).replacement=123456789
So your command would look something like
docker run --rm -v $(Agent.ReleaseDirectory)/docker:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-
baseline.py \
-t https://www.example.com/ProductDetails/v1/details?productId=123456 \
-I -x governreport.xml \
-r testreport.html \
--hook=/zap/auth_hook.py \
-z "auth.loginurl=https://www.example.com/ProductDetails/v1/details?productId=123456" \
-config replacer.full_list\\(0\\).description=auth1 \
-config replacer.full_list\\(0\\).enabled=true \
-config replacer.full_list\\(0\\).matchtype=REQ_HEADER \
-config replacer.full_list\\(0\\).matchstr=api-key \
-config replacer.full_list\\(0\\).regex=false \
-config replacer.full_list\\(0\\).replacement=123
With this you will have the header api-key: 123 added to all of your requests.
Reference: https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/

Related

phabricator curl commandline for creating repository

Can somebody help me please to create a git Repository with curl ?
I try based on documentation:
curl https://my-url.eu/api/diffusion.repository.edit \
-d api.token=api-my-token \
-d transactions[0][type]=vcs \
-d transactions[0][value]=git \
-d transactions[1][type]=name \
-d transactions[1][value]=testing-api-repo \
-d objectIdentifier=
Return:
zsh: no matches found: transactions[0][type]=vcs
Also my second question: is there a way to create conduit-api-token via cli ?? it would be very useful for automation
I found it :
curl -k -s -X POST https://URL/api/diffusion.repository.edit \
-d api.token=api-TOKEN_HERE \
-d 'transactions[0][type]=vcs' \
-d 'transactions[0][value]=git' \
-d 'transactions[1][type]=name' \
-d 'transactions[1][value]=testing' | jq -r

docker volume not found for configuration option

I am trying to run this docker command
docker run --rm --name lighthouse -it \
-v $PWD/test-results/lighthouse:/home/chrome/reports \
-v $PWD/lighthouse:/lighthouse \
--cap-add=SYS_ADMIN femtopixel/google-lighthouse \
--config-path=/lighthouse/config/custom-config.js \
$full_url \
--output html \
--output json
But it is not picking up the --config-path argument, somehow I have the volume mapped wrong.
I am trying to create a volume called lighthouse but I get this error:
/usr/bin/entrypoint: 11: exec:
--config-path=/lighthouse/config/custom-config.js: not found
You should be sending the url as the first parameter I think
docker run --rm --name lighthouse -it \
-v $PWD/test-results/lighthouse:/home/chrome/reports \
-v $PWD/lighthouse:/lighthouse \
--cap-add=SYS_ADMIN femtopixel/google-lighthouse \
$full_url \
--config-path=/lighthouse/config/custom-config.js \
--output html \
--output json

Pass flag to cAdvisor with docker

I am running cAdvisor using the following code as instructed here:
sudo docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--volume=/dev/disk/:/dev/disk:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
google/cadvisor:latest
I need to pass the following flag to cAdvisor as suggested in this answer:
--enable_load_reader=true
How do I pass that flag to cAdvisor?
The google/cadvisor container behaves like the binary itself, therefore you can just append the option to the end of the docker run ... command.
You would also like to add the --net host option to your docker run command as noted here:
sudo docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--volume=/dev/disk/:/dev/disk:ro \
--publish=8080:8080 \
--detach=true \
--net host \
--name=cadvisor \
google/cadvisor:latest \
--enable_load_reader=true

jenkins rest api returns 400 nothing is submitted

I try to launch a Jenkins build via its API using cURL:
#!/usr/bin/env bash
curl \
-i \
--fail \
--show-error \
-s \
-X POST \
-H 'Content-Type:application/json' \
-H 'Accept:application/json' \
--form json='{"parameter": [{"name":"COMPOSE_FULL_NAME", "value": "/redacted/docker-compose-prod.yml"}, {"name":"BRANCH", "value": "prod"}, {"name":"AD_USER", "value": "redacted"}, {"name":"AD_PASSWORD", "value": "redacted"}}]}' \
-u redactedUser:redactedToken \
-k \
https://jenkins-dck.redacted/job/elr-156344/job/stack_deploy/build \
and this is what I get:
curl: (22) The requested URL returned error: 400 Nothing is submitted
I tried several ways of passing POST data, like using -d or --data-urlencode 'json={ but with no success so far.
Any idea what's going on ? the message doesn't say much and I can't access the logs of the jenkins backend.
ok, found it, you first need to disregard the docs here: https://wiki.jenkins.io/display/JENKINS/Remote+access+API. The proper method is described at https://wiki.jenkins.io/display/JENKINS/Parameterized+Build
use this API endpoint:
https://jenkins-dck.redacted/job/elr-156344/job/stack_deploy/buildWithParameters?param1=urlencode&param2=urlencoded
Don't forget to quote the url in the CURL quote, since bash will mess with & symbols.
working example:
#!/usr/bin/env bash
curl \
-i \
--fail \
--show-error \
-s \
-X POST \
-H 'Content-Type:application/json' \
-H 'Accept:application/json' \
-u redactedUser:redactedToken \
-k \
"https://jenkins-dck.redacted/job/elr-156344/job/stack_deploy/buildWithParameters?BRANCH=prod&AD_USER=$SERVICE_ACCOUNT"

How to add rabbitmq_delayed_message_exchange plugin to RabbitMQ running docker

I would like to add the "rabbitmq_delayed_message_exchange" plugin to my docker installation.
Also, I want the Plugin to stay there after I reboot the RabbitMQ container.
The installation script I use is:
docker run -d -h docker01.docker \
--add-host=docker01.docker:192.168.1.11 \
--name rabbit \
-p "4370:4370" \
-p "5672:5672" \
-p "15672:15672" \
-p "25672:25672" \
-p "35197:35197" \
-e "RABBITMQ_USE_LONGNAME=true" \
-e "ERL_EPMD_PORT=4370" \
-e RABBITMQ_ERLANG_COOKIE="rabbitcookie" \
-e RABBITMQ_NODENAME="master" \
-e "RABBITMQ_LOGS=/var/log/rabbitmq/rabbit.log" \
-v /data/rabbitmq:/var/lib/rabbitmq \
-v /data/rabbitmq/logs:/var/log/rabbitmq \
rabbitmq:3.6.6-management
Is it possible to add that plugin to this above installation?
Thanks

Resources