Kerberos authentication
216 views
Skip to first unread message
Floodeen Tom
Jun 10, 2022, 5:28:22 PM6/10/22
to OWASP ZAP User Group
Hello,
We have an application where we can configure Kerberos authentication such that the user simply needs to click on a button to automatically log in. The user will then be authenticated with the logged-in operating system credentials, and no username/password is needed. (There is also an "automatically log-in button, but that does not work when launching the browser from ZAP.)
From a ZAP perspective, I just need ZAP to click on a button or to submit the jsession token that has already been created. If I right-click the ZAP-captured GET request and open the URL in the browser, it works fine.
There is no data in the body text, it is all in the header, and is quite large.
Is there a way to have ZAP use this authentication information when scans are done? The current ZAP authentication documentation and videos does not appear to have this use case covered.
thanks,
-Tom
Simon Bennetts
Jun 15, 2022, 8:28:09 AM6/15/22
to OWASP ZAP User Group
Hi Tom,
So you need ZAP to launch a browser, click on a button and then use the jsession token that has been created?
Try launching a browser and clicking on the button using a Zest script.
Search for the "zest" tag on https://www.zaproxy.org/videos-list/
If that works then it should be relatively straightforward to get this working.
If it doesnt work then we'll need to workout why...
Cheers,
Simon
Floodeen Tom
Jun 15, 2022, 11:49:26 AM6/15/22
to OWASP ZAP User Group
Simon,
GET http://MACHINE_NAME:8080/PATH/KRB HTTP/1.1
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Cookie: AUTH-AUTO-LOGIN=true; AUTO-LOGIN-TYPE=AUTO-LOGIN-KRB
Thanks for the pointer. a Zest script seems like it could work.
When I record or add a request to a Zest script, it leaves out a critical part of the header. For example,
Original Request:
GET http://MACHINE_NAME:8080/PATH/KRB HTTP/1.1
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Cookie: AUTH-AUTO-LOGIN=true; AUTO-LOGIN-TYPE=AUTO-LOGIN-KRB
The same request when recorded, or when right-clicked to add to a Zest script:
GET http://MACHINE_NAME:8080/PATH/KRB HTTP/1.1
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 0
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 0
It is missing much of the header, especially the Cookie: information, which results in incorrect responses.
If I create the request manually in a Zest script, and paste the whole header information, the request works. The complication is that I need to feed the results from the response of this request into the header for the next request, and then one more time before the final JSESSIONID is created that is used for all subsequent requests.
Maybe this is too complicated to attempt? I will continue through the Zest tutorial videos to see if any great revelations happen.
Regards,
-Tom
Floodeen Tom
Jun 15, 2022, 12:13:02 PM6/15/22
to OWASP ZAP User Group
It looks like when I run it, even after creating the proper header manually, the Zest script leaves out the Cookie: portion of the header.
Zest script request header:
GET http://MACHINE_NAME:8080/PATH/KRB HTTP/1.1
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Cookie: AUTH-AUTO-LOGIN=true; AUTO-LOGIN-TYPE=AUTO-LOGIN-KRB
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Cookie: AUTH-AUTO-LOGIN=true; AUTO-LOGIN-TYPE=AUTO-LOGIN-KRB
Content-Length: 0
The request Zest ran:
GET http://MACHINE_NAME:8080/PATH/KRB HTTP/1.1
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Host: MACHINE_NAME:8080
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://MACHINE_NAME:8080/URL/
Accept-Language: en-US,en;q=0.9
Content-Length: 0
In addition, adding the Zest script manually allows me to enter a response in the dialog for the first request. For all subsequent requests, whatever I enter in the request dialog is left out and not ever saved.
I will continue to look at other solutions in ZAP, but it seems something fishy is going on with Zest.
Regards,
-Tom
Floodeen Tom
Jun 17, 2022, 3:00:23 PM6/17/22
to OWASP ZAP User Group
I think I solved my original problem by creating a ZEST Authentication script that calls the URL that does the Kerberos authentication. I set up the Authentication context to use this script, and it seems my cookie authentication using Kerberos is working.
Thanks for the ZEST pointers!
Regards,
-Tom
Reply all
Reply to author
Forward
0 new messages