Script Based Authentication - Difficult Scenario
1,108 views
Skip to first unread message
NCoder
Aug 18, 2016, 2:01:54 AM8/18/16
to OWASP ZAP User Group
Hello,
1) The first time i login by entering the credentials
2) And the next time it signs me out and signs in it automatically picks and validates a token and then logs me back in, which is how usual SSO Authentication work.
There are multiple requests that are sent before the SSO token is actually generated, even the password that is sent the first time is basically hashed and sent as a key prior to receiving the SSO token.
I tried to select the authentication requests from history and then added to Zest scripts and chose Authentication Script.
There are multiple applications involved in authentication, hence i added all those domains to a particular context.
I then edited the context and in Authentication, i chose Script based Authentication and chose the saved Authentication Script. After that i receive two parameters - Login URL and method params.
Questions:
1) what do i enter in here and what does it do in the backend ?
2) Also since there are no fields in my request like username password they are hashed and sent as a key, how do i verify this as Forced User to ensure the script is working right ?
3) Is the above solution am trying right or is there any alternative ?
NCoder
Aug 18, 2016, 2:33:46 PM8/18/16
to OWASP ZAP User Group
Also one more question, can i include a terminal command as part of a zest script ?
Simon Bennetts
Aug 22, 2016, 4:30:37 AM8/22/16
to OWASP ZAP User Group
The Login URL and method params are added by default. They are available to your script as per any other Zest parameter, if you dont need then then you can just supply dummy parameters.
To check authentication is working correctly ZAP supports logged in/out regexes. These are regex patterns that you should configure to match strings in the responses which indicate if the user is logged in or logged out.
Authentication is always a pain to handle, especially if its not just a simple form.
The options you have are:
To check authentication is working correctly ZAP supports logged in/out regexes. These are regex patterns that you should configure to match strings in the responses which indicate if the user is logged in or logged out.
Authentication is always a pain to handle, especially if its not just a simple form.
The options you have are:
- Using a Zest server side script, which is what you are currently trying
- Using a Zest client side script, which launches a browser - I created a standalone script for creating Personna accounts
- Using an authentication script written in any of the other supported languages
- Convincing your devs to support a more scriptable authentication option in your test / staging environment
If you have a lot of problems scripting your SSO then option 4 might be a good alternative, if you can talk them into it.
I think when developing a web app developers have a responsibility to make it testable, and providing an easier way to script authentication in a testing environment could well be part of that.
Cheers,
Simon
Simon Bennetts
Aug 22, 2016, 4:36:43 AM8/22/16
to OWASP ZAP User Group
Zest scripts can invoke any other script, including terminal commands.
However I think the UI only supports invoking scripts that are configured in ZAP.
So what you could do is create a standalone JavaScript / Jython / JRuby script which invokes a terminal command - you can then test that in isolation.
You should then be able to select it when you add a Zest Action Script.
Cheers,
Simon
However I think the UI only supports invoking scripts that are configured in ZAP.
So what you could do is create a standalone JavaScript / Jython / JRuby script which invokes a terminal command - you can then test that in isolation.
You should then be able to select it when you add a Zest Action Script.
Cheers,
Simon
Praveen Kanniah
Aug 22, 2016, 7:28:46 PM8/22/16
to OWASP ZAP User Group
Hi Simon,
Thanks much for you reply.
So if i select the URLs that make an authentication request and create an auth script,
and if i provide dummy values for login url and params when setting authentication in the context
How will i be able to run it in forced user mode, should i give a dummy username password and create one so that i get the option enabled ?
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/hORPay2zrUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/506adcbe-5855-49da-a797-24caf2ad0999%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Simon Bennetts
Aug 23, 2016, 3:08:48 AM8/23/16
to OWASP ZAP User Group
Yes, I'd recommend doing that.
We should change the UI to make this a 'supported' option.
And suggestions as to how we can improve authentication handling greatfully received - I'm sure we could make it easier and/or more effective.
Cheers,
Simon
We should change the UI to make this a 'supported' option.
And suggestions as to how we can improve authentication handling greatfully received - I'm sure we could make it easier and/or more effective.
Cheers,
Simon
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
NCoder
Aug 23, 2016, 8:29:09 PM8/23/16
to OWASP ZAP User Group
Hi Simons,
I totally agree with you on this, with web applications authentication getting updated with SSO, multi factor auth, trusted devices, we will need to make our authentication option more simpler. Since successful authentication is what will ensure successful active scan results + currently the active scan happens on a site tree based approach, i know there is a sequence plugin, is there any plan in the future, to perform active scan in the same order requests were recorded. This might help in scenarios where UI automation test cases are recorded via zap and then active scan is performed.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
Simon Bennetts
Aug 24, 2016, 3:33:23 AM8/24/16
to OWASP ZAP User Group
There are already 2 ways to perform attacks in the same order they were recorded.
The first is the sequence plugin, but you do need to select the relevant requests and then choose to scan them.
The second is Attack mode (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsModes). In this mode ZAP will automatically attack the URLs that are in scope as they are discovered, which will be in the order the requests are made.
Could this meet your requirements?
Cheers,
Simon
The first is the sequence plugin, but you do need to select the relevant requests and then choose to scan them.
The second is Attack mode (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsModes). In this mode ZAP will automatically attack the URLs that are in scope as they are discovered, which will be in the order the requests are made.
Could this meet your requirements?
Cheers,
Simon
Praveen Kanniah
Aug 24, 2016, 2:26:55 PM8/24/16
to OWASP ZAP User Group
Hi Simon,
This is something new, the second option should be a better fit for my situation, so that i have can have ZAP set to Attack mode and remember that option. I shall try this and get back on this as well. Thank You Again !
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca5679fe-fc58-42db-a254-e4c60603bb8b%40googlegroups.com.
Praveen Kanniah
Aug 24, 2016, 3:53:46 PM8/24/16
to OWASP ZAP User Group
Hi Simon,
Also on a quick note, is there an option that does not repeats an already scanned URI ? Not sure how much logical that sounds, but sometimes that option enabled can save a lot of time. Or is the tool already configured that way ?
Simon Bennetts
Aug 25, 2016, 3:24:35 AM8/25/16
to OWASP ZAP User Group
It already works this way :)
Attack mode just attacks 'new' requests rather than continually attacking ones its already tried.
Cheers,
Simon
Attack mode just attacks 'new' requests rather than continually attacking ones its already tried.
Cheers,
Simon
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
Praveen Kanniah
Aug 26, 2016, 1:10:06 AM8/26/16
to zaprox...@googlegroups.com
Ok thanks a lot Simon and sorry last question before I actually close this conversation, I can only start zap on attack mode via daemon right? Then converse for scans using the api right?
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca5679fe-fc58-42db-a254-e4c60603bb8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/hORPay2zrUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8fda0d98-bafe-441e-be88-70cbaa16819b%40googlegroups.com.
Simon Bennetts
Aug 26, 2016, 3:57:56 AM8/26/16
to OWASP ZAP User Group
Attack mode works in both the UI and the daemon and applies to all requests proxied through ZAP that are in scope.
In the UI you can enable it via the mode pulldown in the main tool bar: https://github.com/zaproxy/zap-core-help/wiki/HelpUiTltoolbar#mode-pulldown
In the API you can set it via the core/setMode action.
Cheers,
Simon
In the UI you can enable it via the mode pulldown in the main tool bar: https://github.com/zaproxy/zap-core-help/wiki/HelpUiTltoolbar#mode-pulldown
In the API you can set it via the core/setMode action.
Cheers,
Simon
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca5679fe-fc58-42db-a254-e4c60603bb8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/hORPay2zrUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
NCoder
Aug 26, 2016, 7:42:07 PM8/26/16
to OWASP ZAP User Group
Hi Simon,
Thanks a lot ! You provided some great information, let me try it all and get back to you !
I think i will have to trouble you for the one last time where im finding issues due to connection refused error, im really unable to trace where the issue is. I have opened a new post for the same.
Once again, thank you for the information !
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca5679fe-fc58-42db-a254-e4c60603bb8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/hORPay2zrUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
Message has been deleted
psiinon
Sep 1, 2016, 7:33:16 AM9/1/16
to zaprox...@googlegroups.com
Thats not really how the attack mode is intended to be used :/
Why not put it into attack mode first?On Wed, Aug 31, 2016 at 1:18 AM, NCoder <praveen...@gmail.com> wrote:
Hi Simon,I can see the attack mode performs the scan as and when the requests are recorded.To perform scan only on my context:I can set ZAP in standard modeThen record all the URLsSet the contextSwitch to Attack ModeThen perform Active ScanWould the above be considered an efficient method ?
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ca5679fe-fc58-42db-a254-e4c60603bb8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/hORPay2zrUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8fda0d98-bafe-441e-be88-70cbaa16819b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c552142e-e057-4635-b9e5-3db379dec399%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages