script based authentication - How to automate

[Bhoj Raj Joshi]

I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.

Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.

However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.

So, the questions are:

1. Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?
2. Is there a way to send HttpSender script, or any other way, to put the token in each scan request?

Thanks!

[Bhoj Raj Joshi]

Hello, anyone there to give me some directions on the above?

[psiinon]

Replies below:

On Friday, 23 July 2021 at 17:03:09 UTC+2 Bhoj Raj Joshi wrote:

Hello, anyone there to give me some directions on the above?

On Thursday, 24 June, 2021 at 3:50:18 pm UTC+5:30 Bhoj Raj Joshi wrote:

I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.

Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.

You can also use environmental variables for this: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

 

However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.

You can add scripts via the command line as per https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

 

So, the questions are:

1. Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?

Scripts have the same access to the filesystem as ZAP does. So you should be able to call any other scripts that are available.

Making scripts available is a Docker thing rather than anything ZAP specific so there should be lots of links online, but you can mount a drive or you could create a new docker image copying your scripts across when you build it.

 

1. Is there a way to send HttpSender script, or any other way, to put the token in each scan request?

You can use env vars as mentioned above, but those have to be set before ZAP starts.

But you can do anything you like really, eg poll a file on filestore which contains the tokens, call a web service - you can do pretty much anything a normal command line script can do.

Cheers,

Simon

Thanks!

[Bhoj Raj Joshi]

Thanks Simon for the reply. For some time I was going through the suggestions you have given here.

However, the biggest challenge for me was to load the "aws-sdk" through Oracle Nashrom/Graal.js (internal ECMA engines in ZAP) but It was not successful. The first part of the problem is that the "require" functionality is not provided out-of-box by these engines (e.g. var AWS = require('aws-sdk')), secondly even if I use some third-party libraries such as "jvm-npm" or "requirejs" they cannot really load the NPM native libs such as "aws-sdk".

So, I finally came up with a middleware which does the actual Amazon Cognito communication using "aws-sdk" and exposed the middleware as a REST API within the same container that ZAP is running on. This is in line with your suggestion to rebuild the ZAP docker image by adding/installing the required packages/libs such as nodejs, npm and aws-sdk. In the authentication script (of type Oracle Nashron/Graal.js) I made a GET request to this endpoint and get the token that needs to be passed to all the the subsequent requests as "Authorization Bearer <token>" to the APIs (OpenAPIs) that I'm scanning as part of a HttpSender script (of type Oracle Nashron/Graal.js).

In nutshell, mission accomplished :).

Thanks!

[psiinon]

Glad to hear it!

Do you think this option is something other people could make use of?

If so we'd be very happy for you to write a ZAP blog post about it :D

Many thanks,

Simon

[Bhoj Raj Joshi]

Based on my online research so far, I did not find anything already implemented as such for Oauth based authentication for OpenAPI scan in ZAP. This came out as a result of my tiring and at some point giving-up situation :)

Yes, I was thinking to write a blog for sure, but may take some time. As I believe it will help not only the users of Amazon Cognito but also all who have a requirement to get authenticated to their APIs using "Bearer" token as an Authorization header such as in Oauth, OIC, SAML etc. I will update here once I come up with the same.

Thanks!

[Bhoj Raj Joshi]

Hi  psiinon,

My content is ready for posting as blog, can you please guide me how to post it on zapproxy site? I visited the https://www.zaproxy.org/blog/ site but did not see any option to create a blog.

Thanks,

Bhoj

[psiinon]

Hiya Bhoj,

The ZAP website is in a public repo so you can just submit a PR to that: https://github.com/zaproxy/zaproxy-website

Heres an example PR for a recent blog post: https://github.com/zaproxy/zaproxy-website/pull/530/files

If you're not comfortable with markdown then you can share your blog post with us in another format and we can handle the PRs.

Many thanks,

Simon

[GG Nagarkar]

Hi Bhoj,

I am facing the same issue and would love to refer your blog. Can you please point me to it.

Thanks

GG