I am scanning RESTful WebServices and it is secured by OAuth2 (Spring Security OAuth). These webservices are not accessible from the website, only accessed by other applications as server to server API calls.
Each application requests for the token (POST call) and receives access token, refresh token, expiry duration in response. Every further request sends an unique correlation id, access token as request headers.
I was planning to use web proxy to record the requests, convert to web macro and use workflow driven scan. But since the token expires and correlation id needs to be unique, requests sent from webinspect fail. Is there a way to replace the token , correlation id in the macro prescan or dynamically during the scan?