zest authentication script questions
Marianna Gurovich
The login authentication is done via Google apis. The Token Id that we get from Google api is used by company's website requests.
1. recorded authentication Zest login script which takes care of Token Id;
2. created a manual scan with Chrome for company's Login page;
3. added Authentication login Zest script to the Context;
1. Am I in the right direction?
2. I included the company website URL into the context. I am not sure if I have to include the Google authentication URL into the context too, since it will be attacked by Zap.
3. How can I pass the Token Id to other URLs that not in the initial manual scan?
4. I didn't add a User credentials to the context. The user's credentials are recorded in the scan and in the Zest script and they are constant for now.
Thank you,
Marianna
Simon Bennetts
Marianna Gurovich
Hi Simon,
I took care of Token Id in the Zest script in the following way:
I saved the dynamic token value in the currentToken param:
Then I used currentToken in Headers of the next requests:
Then I added a new Context to the session where I defined the Authentication zest script and Regex pattern :
I hope it is a correct way to work with dynamic values and authentication script.
Please let me know if anything in this process is wrong.
Thank you.
From: zaprox...@googlegroups.com <zaprox...@googlegroups.com>
On Behalf Of Simon Bennetts
Sent: Wednesday, November 3, 2021 5:25 AM
To: OWASP ZAP User Group <zaprox...@googlegroups.com>
Subject: [zaproxy-users] Re: zest authentication script questions
[CAUTION! EXTERNAL SENDER]
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
zaproxy-user...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/zaproxy-users/4c576bd0-58b6-4c5a-9c92-e8ba3ca40048n%40googlegroups.com.
Simon Bennetts
Marianna Gurovich
Thank you so much for the quick response!
I will try the manual authentication.
Thank you,
Marianna
From: zaprox...@googlegroups.com <zaprox...@googlegroups.com>
On Behalf Of Simon Bennetts
Sent: Wednesday, November 3, 2021 12:07 PM
To: OWASP ZAP User Group <zaprox...@googlegroups.com>
Subject: Re: [zaproxy-users] Re: zest authentication script questions
[CAUTION! EXTERNAL SENDER]
Hi Marianna,
If you just need to set a header then I would do that via an env var: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars
Always choose the simplest option available :)
You can still get ZAP to maintain the auth stats - just use "maunal" authentication and keep the authentication verification section as now.
Cheers,
Simon
On Wednesday, 3 November 2021 at 15:53:48 UTC mari...@edprop.com wrote:
Hi Simon,
I took care of Token Id in the Zest script in the following way:
I saved the dynamic token value in the currentToken param:
Then I used currentToken in Headers of the next requests:
Then I added a new Context to the session where I defined the Authentication zest script and Regex pattern :
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f3520746-ee3c-45a4-929a-f11a9cf83a6en%40googlegroups.com.
Marianna Gurovich
I am not sure how to define the env var at the system level to use it in the manual authentication, as you suggested.
Unfortunately I didn't find any info about it.
The token is coming from the Googleapi, and it used in the headers of the company’s requests.
From the Zap User Guide:
Environmental Variables
ZAP supports a set of Authentication Header Environmental Variables - these will be applied by ZAP if they are defined however ZAP is run, including via the Automation Framework.
These environmental variables must be defined at the system level - if they are defined in the environment env section then they will be ignored.
Thank you,
Marianna
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f3520746-ee3c-45a4-929a-f11a9cf83a6en%40googlegroups.com.