Automated authentication detection and configuration

105 views
Skip to first unread message

Kajan Mohanagandhirasa

unread,
May 6, 2018, 2:39:10 AM5/6/18
to OWASP ZAP Developer Group
Hi, I am Kajan from the University of Moratuwa, Sri Lanka. 
It is my pleasure to meet you all again with good news. 
I am working on "Automated authentication detection and configuration"[1]  as my GSoC project.
I will be updating my blog[2] weekly with my progress and other useful information related to this project.
To automate the task for as many sorts of web apps as possible, I am maintaining a list of different authentication schemes here[3]. 
I want your help in prioritizing the most used and important authentication schemes.
In addition to that, please help me to extend this list by sharing your knowledge.
Of course, I will not be able to address all schemes within the GSoC period. But now I am part of a great community and will remain the same after GSoC. So feel free to suggest even if a small portion of web apps are using such authentication scheme. I want to build a comprehensive list. This will not only help me to identify my future works but also to implement in a way such that other schemes can be easily ported.
I am not an expert in anything. I am willing to hear your thoughts regarding this project. That will help me a lot.

Thanks in advance :) and happy coding.


Cheers,
Kajan

psiinon

unread,
May 8, 2018, 5:19:20 AM5/8/18
to OWASP ZAP Developer Group
Thanks Kajan :)

All - please let Kajan know about the authentication mechanisms that you have seen.
We know that while ZAP is very flexible its also difficult to configure ZAP to handle authentication, hence this project.
And for that we need your help - so if you've ever sonfigures ZAP to handle authentication, or plan to in the future, then please let us know what authentication mechanisms you need us to support.

Many thanks,

Simon

kingthorin+owaspzap

unread,
May 8, 2018, 9:16:23 PM5/8/18
to OWASP ZAP Developer Group
I reviewed the google doc, it seems to cover the things I seem to encounter on a regular basis. Probably like 95% form based auth, 3% authorization header (bearer, oauth, etc), 2% basic/digest.

Looking forward to this functionality.

Dave Wichers

unread,
May 9, 2018, 10:22:38 AM5/9/18
to zaproxy...@googlegroups.com
A scheme that seems to be missing from this doc, but is supported by ZAP actually, is the use of PKI certs. Both real certs and soft certs.

That support seems to work great when I use it in ZAP so I don't know of any enhancements that ZAP should implement in this area, but its probably worth mentioning. I do have one suggested enhancement related to cert support: https://github.com/zaproxy/zaproxy/issues/2489, but its not a big deal.

-Dave


On Tue, May 8, 2018 at 9:16 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
I reviewed the google doc, it seems to cover the things I seem to encounter on a regular basis. Probably like 95% form based auth, 3% authorization header (bearer, oauth, etc), 2% basic/digest.

Looking forward to this functionality.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/953112e7-dd1b-4062-a339-2ddc45c32bde%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

psiinon

unread,
May 9, 2018, 10:26:33 AM5/9/18
to OWASP ZAP Developer Group
Thanks Dave - good catch!

Javan Rasokat

unread,
Feb 26, 2019, 8:22:32 AM2/26/19
to OWASP ZAP Developer Group
I have a very bad authentication scheme for you. When the jsessionid is part of the URL and not stored in a cookie. The passive rule already detects jsessionid in URL [1].
But this kind of session management is not supported by ZAP. Read more: https://github.com/zaproxy/zaproxy/issues/3008#issuecomment-458114763

Kajan

unread,
Feb 26, 2019, 9:17:23 AM2/26/19
to OWASP ZAP Developer Group
Thank you very much for bringing that into my attention Javan :)
Without extra checks that's really a bad scheme.
Anyway since there are apps with such scheme I will include it in the list.

Regards,
Kajan

hauschu...@gmail.com

unread,
Feb 27, 2019, 6:51:45 AM2/27/19
to OWASP ZAP Developer Group
Awesome!
Reply all
Reply to author
Forward
0 new messages