Handling of Authentication, Session Management and Users

[Cosmin Stefan-Dobrin]

Hi,

During this summer, I've worked on developing a big set of changes that allows ZAP to handle Authentication, Session Management and Users in a consistent and customizable way.

The changes related to this have just been merged into the trunk so feel free to explore and experiment the new features. And please let me know everything that pops into your mind related to this.

A summary of the features:

• for a given Context, new tabs have been added to customize and configure the way Authentication and Session Management are performed. The options are available via the Session Properties dialog.
• Support has been added for Form-Based Authentication (e.g. classical login request) or Manual Authentication (you login manually and just select the already logged in HTTP session).
• Support has been added for Cookie-Based Session Management
• Once the authentication scheme has been configured, a set of Users can be defined for each Context. These Users can then be used for various actions (e.g. Spider URL/Context as User Y, send all requests as User X). In the near future more actions will be provided that make use of the users. And, also, the core part has been implemented so using Users in other Extensions can be done extremely easy.
  
• A "Forced-User" extension has been implemented and aims to replace the old Authentication extension that was performing re-authentication. A 'forced-user' mode is now available via the toolbar (the same icon as the old Authentication extension). After setting an User as the 'Forced-User' for a given context, when the 'Forced-User' mode is enabled every request sent through ZAP is automatically modified so that it's sent from the point of view of this user. This mode also performs re-authentication automatically (especially in conjunction with the Form-Based Authentication) if lack of authentication ('logged out') is detected.
• the 'Authentication' extension has been deprecated. It's still present in ZAP, but moving on to the Forced-User extension (presented above) is suggested as it provides more powerful and customizable features (by allowing the use of various authentication schemes or multiple users).
  

More details and documentation will come in the following days. But, in the meantime, feel free to ask any questions that you might have.

Cheers,

Cosmin

[Mostafa]

Hi Cosmin,

I’m currently working on a scenario in which a user enters the URL of his/her web app to be scanned. What I do is that I get the URL and try to crawl the whole web app based on that, using spider functionality in ZAP. Then I use active scanner to scan the web app, finally I get the alert results from ZAP in xml format and show that to the user. I’ve attached the code which does the above scenario.

BUT,

I tested the code with DVWA, and noticed something. Despite the fact that the spider can crowl the web app and finds URLs as much as it can, the scanner does not report any serious (high priority) vulnerability such as XSS or SQL injection. As we all know, the DVWA already has those vulnerabilities. So I think what is missing here is the login (authentication) part, that I don’t do it.

My Question is:

Is there any way that we can get the login information from the user and enter that into web app through java code?

 

Regards.

[Stephen de Vries]

Hi Mostafa,

> Is there any way that we can get the login information from the user and enter that into web app through java code?

This sounds like a job for Selenium WebDriver (http://docs.seleniumhq.org/projects/webdriver/):

First define a proxy:

org.openqa.selenium.Proxy proxy = new org.openqa.selenium.Proxy();
proxy.setHttpProxy(ZAPPROXY).setSslProxy(ZAPPROXY);

DesiredCapabilities cap = new DesiredCapabilities();
cap.setCapability(CapabilityType.PROXY, proxy);


Then create a driver instance using the proxy:

private WebDriver driver = new FirefoxDriver(cap); //you can also use htmlunitdriver which is a pure java headless driver that's faster


Then create a function to login to DVWA:

public void login(String username, String password) {
driver.get("http://dvwa");

//You'll have to check the HTML of dvwa login form to get the correct ID's for the code below:
driver.findElement(By.id("username")).sendKeys(username);
driver.findElement(By.id("password")).sendKeys(password);
driver.findElement(By.className("button")).submit();
}

Then change your existing test so that webdriver first logs in, then spider with zap, then scan. (and make sure that the spider doesn't find the logout link!)

[Cosmin Stefan-Dobrin]

Hi,

As you have mentioned, I believe you also require to set up the authentication. In the latest _trunk_ version of ZAP, all of the required authentication functionality is available via the API. Probably you might need to build the JavaClient by yourself. I'm not exactly sure. Simon?

Anyway, for what you're interested to do, the steps that you would have to do before starting the spidering would be:

1. Add the web app you are scanning to a Context (let's say context 1), via the Context -> includeRegexs method
2. Set the authentication for the Context to form-based authentication: via Authentication -> setAuthenticationMethod(1, 'formBasedAuthentication', authMethodParams). The authMethodParams need to be constructed as instructed by Authentication -> getAuthenticationMethodConfigParams('formBasedAuthentication'). It should be something like: authMethodParams="loginUrl=http%3A%2F%2Flocalhost%3A8090%2Fdvwa%2Flogin.jsp&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D" (note the url enconding)
3. Set indicators that will tell ZAP when it's authenticated, via Authentication->setLoggedInIndicator. Example: setLoggedInIndicator(1,'Logout')
   
4. Set the User that you need to login as, via Users -> newUser(1,'name') and Users->setAuthenticationCredentials(1,0,'username=xxx&password=yyy')

Then you can spider from the point of view of the user defined at 3, via Spider -> scanURLAsUser. Or you can set it as a 'ForcedUser' and any request sent to the DVWA will be sent from the perspective of that user. Logouts are detected automatically and ZAP logs in by itself.

Let me know if you bump into something.

I admit that the documentation is still a bit behind, but it's something I'm working on right now. Also, in a couple of days I'm hoping to finish a few 'tutorial' style videos presenting the new features and how should they be used.

Cosmin

--
Cosmin

On Tue, Oct 8, 2013 at 12:32 PM, Mostafa <mostafa....@gmail.com> wrote:

Hi Cosmin,

I’m currently working on a scenario in which a user enters the URL of his/her web app to be scanned. What I do is that I get the URL and try to crawl the whole web app based on that, using spider functionality in ZAP. Then I use active scanner to scan the web app, finally I get the alert results from ZAP in xml format and show that to the user. I’ve attached the code which does the above scenario.

BUT,

I tested the code with DVWA, and noticed something. Despite the fact that the spider can crowl the web app and finds URLs as much as it can, the scanner does not report any serious (high priority) vulnerability such as XSS or SQL injection. As we all know, the DVWA already has those vulnerabilities. So I think missing here is the login (authentication) part, that I don’t do it.

My Question is:

Is there any way that we can get the login information from the user and enter that into web app through java code?

 

Regards.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Mostafa]

Hi stephendv

I tried the method you proposed, trying to login using Selenium HtmlUnitDriver. I’ve attached my updated source code. But despite the fact that I had added the selenium jar files to the Build Path libraries in Eclipse (also attached a picture of my libraries), each and every time I try to run my code I get the following error, no matter what WebDriver I use (either FirefoxDriver, HtmlUnitDriver, etc) :

java.lang.NoClassDefFoundError: com/gargoylesoftware/htmlunit/WebWindowListener

       at mostafa.DVWATest.login(DVWATest.java:168)

       at mostafa.DVWATest.scanDVWA(DVWATest.java:190)

       at mostafa.DVWATest.main(DVWATest.java:227)

Caused by: java.lang.ClassNotFoundException: com.gargoylesoftware.htmlunit.WebWindowListener

       at java.net.URLClassLoader$1.run(URLClassLoader.java:366)

       at java.net.URLClassLoader$1.run(URLClassLoader.java:355)

       at java.security.AccessController.doPrivileged(Native Method)

       at java.net.URLClassLoader.findClass(URLClassLoader.java:354)

       at java.lang.ClassLoader.loadClass(ClassLoader.java:424)

       at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)

       at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

       ... 3 more

Any idea what causes this error or how it could be solved?

Furthermore,

by ZAPPROXY do you mean http://localhost:8090 ? Did I set it right in my code?

Plus

how to ensure spider doesn't find the logout link?

 

Thanks in advance.

[Stephen de Vries]

> I tried the method you proposed, trying to login using Selenium HtmlUnitDriver. I’ve attached my updated source code. But despite the fact that I had added the selenium jar files to the Build Path libraries in Eclipse (also attached a picture of my libraries), each and every time I try to run my code I get the following error, no matter what WebDriver I use (either FirefoxDriver, HtmlUnitDriver, etc) :

You may need the jar for the specific driver too, e.g.: http://mvnrepository.com/artifact/net.sourceforge.htmlunit/webdriver/2.6
for htmlunitdriver.

> by ZAPPROXY do you mean http://localhost:8090 ? Did I set it right in my code?

ZAPPROXY is the port where ZAP is listening for requests to proxy. Since you can change this in ZAP, I don't know what it is on your system.

>
> how to ensure spider doesn't find the logout link?

In the "spider" part of the API there's a call:

excludeFromScan (regex* )

Which will let you tell the spider to exclude a specific URL regex.


regards,
Stephen

[Mostafa]

Hi Stephan,
I've added both HtmlUnit jar driver and selenium-server-standalone-2.35.0 in my buildpath library (as you can see it in the attached file). But when the code reaches this line

htmlUnitDriver.get("http://localhost/dvwa");

in  the “login” method where I want to get the login page, I always receive this error:

17679 [main] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "main"

java.lang.NoSuchMethodError: org.apache.http.impl.conn.DefaultClientConnectionOperator.<init>(Lorg/apache/http/conn/scheme/SchemeRegistry;Lorg/apache/http/conn/DnsResolver;)V

       at org.apache.http.impl.conn.PoolingClientConnectionManager.createConnectionOperator(PoolingClientConnectionManager.java:140)

       at org.apache.http.impl.conn.PoolingClientConnectionManager.<init>(PoolingClientConnectionManager.java:114)

       at org.apache.http.impl.conn.PoolingClientConnectionManager.<init>(PoolingClientConnectionManager.java:99)

       at org.apache.http.impl.conn.PoolingClientConnectionManager.<init>(PoolingClientConnectionManager.java:85)

       at com.gargoylesoftware.htmlunit.HttpWebConnection.createHttpClient(HttpWebConnection.java:557)

       at com.gargoylesoftware.htmlunit.HttpWebConnection.getHttpClient(HttpWebConnection.java:518)

       at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:155)

       at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)

       at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)

       at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)

       at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)

       at org.openqa.selenium.htmlunit.HtmlUnitDriver.get(HtmlUnitDriver.java:366)

       at org.openqa.selenium.htmlunit.HtmlUnitDriver.get(HtmlUnitDriver.java:355)

       at mostafa.DVWATest.login(DVWATest.java:175)

       at mostafa.DVWATest.scanDVWA(DVWATest.java:212)

       at mostafa.DVWATest.main(DVWATest.java:249)

 

Do you have a clue for what might cause this error?

 

Thanks.

[Mostafa]

Hi, I noticed something. When I try to get some page with HtmlUnitDriver object in a separate eclipse project other than the zap, I don't get the above error, but when I try to do it in my ZAP project, I receive the above error. It's really weired!
Can anyone give me some clue, why this happens?

Thanks.