Authentication with OWASP Juice Shop and ZAP

[Nirojan Selvanathan]

Hi All,

For the API documentation of ZAP I'm using Juice Shop as a standard example. I was able to configure the form based authentication and get a successful response. But the token provided by the login response is not appended to the follow up requests in ZAP. Can I know how to configure this via ZAP. The following images shows the configurations I have done in ZAP.

I have also enabled the forced user mode in ZAP. The following image shows a successful authentication by ZAP when I start the Ajax Spider.

Following the login, the application in normal mode (Not proxied through ZAP) attaches the login response as a bearer token for the follow up request. 

 

But when I browse through the ZAP requests, they do not include the token in the Auth header. So how can I make ZAP to append the token from login response as an Authorization header ? Am I missing any configurations or should I write any custom scripts to perform this.

Thanks in Advance.

[Peter Hauschulz]

Hi!

I seem to remember Juice Shop has a modern SPA-type setup, so I believe you will need to either set that token manually via Replacer, or some kind of script combination to grab and/or append the token (httpsender, etc). 

I know, it definitely seems like there should be a clean how-to for ZAP and Juice Shop on this one (note to self...)

Here are some areas to look anyway:

https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer

[psiinon]

I'm looking into how we can make ZAP better at handling the sorts of authentication mechanisms used by modern web apps, so if anyone has any specific requests or requirements then let me know here :)

[psiinon]

New tracker here: https://github.com/zaproxy/zaproxy/issues/5633

[Andres Hermosilla]

I cover authentication against Juice Shop here https://github.com/rezen/zap-tutorial/blob/master/10_authentication.md

[psiinon]

thanks - I'd forgotten about that!

[Peter Hauschulz]

For better or (and) worse, I'm just going to barf out some ideas here!

I'm imagining something like, "as a user, I would like there to be a single dialog to manage all possible authentication types and scenarios in a highly configurable and easy to understand visual way".

As far as I understand it, current Auth configurations use-cases currently can range from straightforward usage of ZAP's current session management (Form, script, etc), to a variety of approaches that may involve the a combination of Replacer functions, auth, sequence, standalone and/or httpsender scripts. (also depending what scan is being performed)

This scenarios that these are needed to handle:

-cookie-based

-token-based (also browser)

-also needs to allow for CSRF, nonce, etc

-OTP

-multiple simultaneous sessions (ie, ZAP needs to authenticate to an application to scan it, while also maintain a session with some host for that application....remote dev environment on AWS, etc)

-i'm sure i'm missing a bunch

ZAP needs to send auth information

ZAP needs to recognize when it needs to send or not send auth information

ZAP needs to recognize when it needs to re-authenticate

ZAP needs to recognize and capture session information

ZAP needs to know where to send that information (itself, back to browser, etc)

ZAP needs to know what context this applies to

ZAP needs to know what user

ZAP needs to know which scan this applies for?

I know there's always a functional trade-off for who the 'primary market' is for the tool, whether it should so intuitive that new users can get going right away for their systems, or if it should be more configurable to cover more scenarios but maybe have a slightly higher learning curve. 

Personally, I imagine a dialog with: 

a text field (what to send to authenticate), and then checkboxes.

-send in URL: yes/no (probably popup warning for that since that's a no-no)

-send in header: yes/no

-send in body: yes/no

Then a field for regex/capture of session info, and then checkboxes (what to do with it and how often)

-for instance:

--send to browser: yes/no

--send in header: yes/no

--send in body: yes/no

--send in URL: yes/no

--apply to: spider/ajax/active/fuzzer/forcedbrowse/etc

Then a field for recognizing auth state via regex and checkboxes

--check in: response code/response header/response body

--re authenticate when logged out: yes/no

--re authenticate before every request: yes/no

Also the option to add additional messages, like the Sequencer, if needed.

Maybe it would be like right-clicking on a request in ZAP history and select 'auth request', and then it would be like the fuzzer in that a dialog with a copy of the message would pop up for configuring and editing. you could highlight different areas and assign different values to send, replace, etc.

Well, there's my brain dump! Hopefully that wasn't too much 'back seat driving', I know this stuff is a lot of work (nearly all of which is beyond me) and that time is in short supply! :)