I'm currently working at testing an Angular 6 application using OWASP ZAP. I really enjoy this tool, but like many of us, I struggle with the authentication part, and without it the whole tool turns into a nothing burger.
The login route is accessible on my localhost at /login and my API endpoint https://api.mytestproject.com/auth only accepts raw XML such as:
<EngineDocList>
<DocVersion>1.0</DocVersion>
<EngineDoc>
...
<User>
<Username>testuser</Username>
<Password>test</Password>
<CustomField DataType="S32">blablabla</CustomField>
</User>
...
</EngineDoc>
</EngineDocList>
I get a token in response, but the API requires it to be sent in the body as a field of each request rather than as an Authorization header.
Also, running the spider does not give me any time to login manually, and I can't really provide any string to tell if I'm logged in or logged out as my Angular app is not server rendered.
Any light is welcome, Thanks!
Aucun commentaire:
Enregistrer un commentaire