Azure AD auth and Single page architecture auth
66 views
Skip to first unread message
User
Feb 9, 2022, 5:29:20 AM2/9/22
to OWASP ZAP User Group
Hi,
I am using ZAP Proxy in my build pipeline to test an application. The ZAP is working fine and reporting issues.
However I have two scenarios for which I have not found any option so just want to check if there is any or not -
- Most of the pages of the one application are protected by Azure AD authentication having 2 factor auth also enabled which requires one to enter mobile OTP and other alternatives. How can I setup authentication in ZAP context for this? I already know how to solve for form based authentication.
- Another application is based on single page architecture where any Ajax call requiring authorization shows login form if not already logged in. I managed to capture the login Post in Zap JSON based auth request. But how to do logged-in or logged-out indicator?
Thanks
Bhushan
Simon Bennetts
Feb 9, 2022, 6:45:59 AM2/9/22
to OWASP ZAP User Group
Hi Bhushan,
First of all see https://www.zaproxy.org/docs/authentication/make-your-life-easier/ :)
Re OTP (and if you cant turn it off or bypass it) - do you have a way to get the 2nd factor to the machine ZAP is running on?
If not then theres not much we can do!
Re logged in/out indicators - how can you tell if the user is logged in or not based on any request or response?
There has to be some way, otherwise why have authentication on the app?
We cant tell you what that might be - you have access to the app, we dont.
Cheers,
Simon
User
Feb 9, 2022, 8:19:47 AM2/9/22
to OWASP ZAP User Group
Thanks Simon for your response.
I saw that make-your-life-easier page so wanted to see if anyone done anything specific to work with Azure AD. The 2 FA I may be able to disable for a test user but again not in my control, but I understand automation tool cannot do magic. In selenium functional automation I am using TOTP to handle 2 FA.
Anyway but my first challenge is for ZAP to handle the Azure login box itself. Has anyone done this and it works?
Regarding the single page architecture. When the JS code finds no auth token exists in session storage then it shows login form. On signing through the login form user is logged in. All rendering of html is happening via JS code only. So far I could see that logged-in/logged-out indicator works based on response body only.
Thanks
On Wednesday, 9 February 2022 at 17:15:59 UTC+5:30 psi...@gmail.com wrote:
Hi,
Reply all
Reply to author
Forward
0 new messages