How to authenticate with permanent token and bypass OAuth2 login
236 views
Skip to first unread message
Thomas Reinecke
Sep 14, 2022, 4:34:38 AM9/14/22
to OWASP ZAP User Group
Hi, I tried many things but now I started to get lost and I am looking for some guidance. I want to scan a website that is protected behind a SSO. So when I use the url I want to scan, it gets redirected to the central login page from a different provider. I received a token that is used to bypass the login, but no one in my team has worked with owasp zap. So I am looking for a way to tell owasp to use this token as authentication, in order to bypass the login and go to the target url, but I have no idea how to do that. I assume I need to inject the token in a header somewhere and maybe use script based authentication? I tried to google but I did not really find an example where a permanent token is used to bypass authentication. Any help is much appreciated!! Thanks
Simon Bennetts
Sep 14, 2022, 4:53:14 AM9/14/22
to OWASP ZAP User Group
Hiya,
Have a look at the docs on https://www.zaproxy.org/docs/authentication/
Unfortunately this is not an easy situation to solve - you will need to understand exactly how the authentication and session handling works.
If you can do that then we should be able to help you with the ZAP side of things.
Having a token that bypasses the login will make your life much easier, but you will need to know exactly what you need to do with it.
Which SSO provider is it?
I've been reaching out to SSO providers in order to try to make this situation much easier to handle.
I'm also very happy to look through their docs to see what options we can work with...
Cheers,
Simon
Thomas Reinecke
Sep 14, 2022, 5:39:39 AM9/14/22
to OWASP ZAP User Group
Hi Simon, thanks for the quick reply. It's microsoft SSO. So when I want to spider my target url, it redirects to the MS login page, which is then out of context. Even when I add this url to my deault context and spider the default context (which includes my target url and the MS login url), the scan stops at the MS login page and shows to be out of context. In theory, my idea is to add an Authorization: Bearer
< token
> to each http request and then use my permanent token for that. I want to do that in the UI but I am a bit overwhelmed by all the scripts found on the internet. I also tried a replacer rule but that did not work.
Best
User
Jul 29, 2024, 2:15:59 PM7/29/24
to ZAP User Group
Hello,
I'm facing a similar issue. Were you able to overcome this as this is something I am looking into?
Thank you!
Simon Bennetts
Aug 5, 2024, 10:49:38 AM8/5/24
to ZAP User Group
This thread is 2 years old and out of date.
For the latest authwentication options see https://www.zaproxy.org/docs/authentication/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages