ZAP Scan with Authenticated User in Angular Single Page Application with REST API JAVA Backend

[Badhumvee]

Hi Friends, 

I am learning ZAP and have been trying for a while to get the authenticated user scan working for our Angular SPA.  I tried going through the tutorials and articles and the user group discussions but so far it has not worked for me.  So I am hoping that you would please help me get this user authenticated session in ZAP configured.  

Most pages in our Single Page App have unique URLs/routes without using any parameters (i.e.  www.MyDomain.com/profile ; www.MyDomain.com/UGC/Item1 ; www.MyDomain.com/UGC/Item1/edit ) for each page.  I mention this because we dont have pages where our SPA uses parameters for differentiating pages like in some of your examples (i.e. we don't have these kind of URLs ---> https://www.example.com/app/aaa?page=p1&ddd=eee  OR https://www.example.com/app/aaa?page=p2&ddd=fff  ).   BUT, there are cases when we open 'Modals' with FORM INPUT fields.  These Modals don't really have their own unique URLs because they open as an overlay on the currently open page.  Ideally we would like the ZAP scanner to scan/test all our pages along with all of their Modals.  

First request: User login

Our Angular Frontend App in the client/browser receives the user's Login/Passwords in our Login form/page.  Then the Fronend app Calls our REST API based BackEnd Application by inserting the Login/Password in a GET call like below : 

GET https://d1h-FAKE-rjsiw73.cloudfront.net/abc/api/oauth/token?username=Firs...@email.com&password=abc123454321xyz&client_id=restapp&client_secret=restapp&grant_type=password HTTP/1.1

In the RESPONSE to the above GET request, the response body looks like the JSON below: 

{"access_token":"5ceb8q09c-2585-vsc8-b246-e33145cx746f","token_type":"bearer","refresh_token":"c2bref9-799s8-4ee0s-9dfc86-6dfes1b1b","expires_in":11999}

Subsequent Requests: 

The Client FrontEnd app then sends the following GET request to get user info using the access_token it received in the first response above, and a cookie with userSessionId.  

GET https://d1h-FAKE-rjsiw73.cloudfront.net/abc/api/v1/secure/user HTTP/1.1

Connection: keep-alive

Authorization: Bearer 5ceb8q09c-2585-vsc8-b246-e33145cx746f

Cookie: userSessionId=c9631576-9bd5-4be3-a7ba-9e1f26c64a13

LOGOUT:

On ALL of our SPA pages, there is a Drop-Down-Menu in the header which has LOGOUT as the last item in the list.  When the user clicks on Logout option, our FrontEnd app calls the 'api/logout' with a POST call as shown below...

REQUEST:

POST https://d1h-FAKE-rjsiw73.cloudfront.net/abc/api/v1/secure/userprofile/logout/c9631576-9bd5-4be3-a7ba-9e1f26c64a13 HTTP/1.1

Connection: keep-alive

Authorization: Bearer 5ceb8q09c-2585-vsc8-b246-e33145cx746f

Cookie: userSessionId=c9631576-9bd5-4be3-a7ba-9e1f26c64a13

The RESPONSE to the above POST request is below: 

{"statusCode":"200","statusMessage":"Operation Successful","responseBody":null}

At this point, the FrontEnd app deletes/clears the access_token from the client/browser's session storage and ROUTES USER to the login page.  

Detecting Logged-In / Logged-Out state:  

As you can see in the responses above, we do not really get the HTML for the page and so there is no 'Sign in' or 'Logout' text/indication that can be detected in the 'Response'.  The only way to detect the logged in/out Status is to actually 'find' the 'Login' OR the 'SignOut' text on our Browser/client screen. 

With the above explanation in mind, please address the following questions: 

1. How do we configure ZAP to run scans with automatically authenticated user sessions with oAuth tokens?
2. How to make sure the AJAX-Scanner will scan the Modals?
3. How to detect Logged in/out state by searching for some text in the screen instead of inspecting/expecting some text in the response?
4. Would you be able to refer me to a similar example/sample configuration explained somewhere?

I am sorry this was long but I tried my best to provide enough details.  I'd greatly appreciate if you could guide me in configuring ZAP to effectively scan our Angular SPA app.  

Thank you.

[Benzion Yunger]

Hi,

I just spent a week breaking my head over the same issue also with an Angular app, here are my conclusions.

1. Ideally the JSON-based authentication should work to authenticate, and you can verify this in your Output tab. If it doesn't work, it could be a number of issues. Take a look at this article for possibilities  https://github.com/zaproxy/zaproxy/wiki/FAQformauth . If this still does not work, you can write a script to perform the authorization, and write a another HttpSender script to update all subsequent requests with the JWT in the header. You will need to create a global variable to make this work.

2. However, in truth, a successful authentication probably won't help you for your issue. The reason being, the scan will only work on whatever is in your site-tree, and as long as your browser does not make specific requests to these pages your site tree will not populate. Although the authentication process should be passed to the browser, sometimes in these situations it does not, what happens is the proxy steals the session to make the authentication requests, but does not pass it down to  the browser.

3. I opened an issue about this last week, and it seems like Zap does not support this right now. The workaround is, to perform the authorization with a Selenium Zap proxied driver, then perform the scan. 

You can take a look for yourself here https://github.com/zaproxy/zaproxy/issues/5609

Good luck!

Powered by cloudHQ

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/23f1f25b-b38f-4995-876f-01018d45e665%40googlegroups.com.

[Badhumvee]

Hi Benzion,

Thanks for sharing your findings.  I was a bit surprised to hear that SPA support is so limited because today more and more applications are taking the SPA route.  I am a beginner when it comes to working with ZAP scanner and some of the script suggestions you make are going to be a challenge to implement without some examples of typical/recommended setup configs.  

It would be very helpful to have a walk through of how to setup ZAP+Selenium driver to configure authenticated user scan of Angular SPA apps.  

Has anyone else tried to make this work?  

Thanks a lot.

To unsubscribe from this group and stop receiving emails from it, send an email to zaprox...@googlegroups.com.

[Benzion Yunger]

Before writing scripts, can you confirm the JSON-based authentication does not authenticate?

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/47629fb0-c256-45e2-8c19-ed5151b8d669%40googlegroups.com.

[Badhumvee]

Hi Benzion,

I had tried JSON from your previous response, but that did not authenticate the user for us because our first login call does not take json as mentioned :

GET https://d1h-FAKE-rjsiw73.cloudfront.net/abc/api/oauth/token?username=Firs...@email.com&password=abc123454321xyz&client_id=restapp&client_secret=restapp&grant_type=password HTTP/1.1

In terms of the script, I have limited experience, so not sure how far I could go in that direction.  Any help from the community would be greatly appreciated.  Thanks.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/47629fb0-c256-45e2-8c19-ed5151b8d669%40googlegroups.com.

[Badhumvee]

Hi has any one solved this problem? This seems to be a common enough challenge for most SPAs out there. Any guidance from the pro's here would be greatly appreciated.

[kingthorin+owaspzap]

Use an HttpSender script to get the token and set it in subsequent requests.