Automate OAuth Authentication for REST APIs Security Scan

[Sam]

Hi,

I was trying to scan Few Rest APIs. These APIs use OAuth and are divided into two sets each using different Grant Type.

To get the Access Token I have to POST request as querystring (E.g. client_id=blabla&client_secret=blabla&grant_type=client_credentials) to one exposed API say it looks similar to- http://MyBaseURL/GenerateTokenForMe

Now as a response I get one JSON and with several elements, it contain AccessToken as well. I need to grab this token and include it in the header of my APIs under test.

The response JSON looks similar to 

{
   "access_token": "A long alphanumeric token goes here",
   "token_type": "bearer",
   "expires_in": time,
   ".issued": "date time",
   ".expires": "expire date time"
}

Now this access token expires after some time and if it expires I need to replace the token again.

Is there any way I can do this automatically while running the scan/fuzz.

However, right now I am able to run Scan by recording requests using SoapUI which contain Hardcoded Access token in them

Detailed steps to achieve this will be much appriciated as I am new to ZAP

Thanks

Sam

[kingthorin+owaspzap]

These threads might help you:
https://groups.google.com/forum/#!searchin/zaproxy-users/oauth/zaproxy-users/ijDxvsZI6do/M53JByI0AwAJ
https://groups.google.com/forum/#!searchin/zaproxy-develop/oauth/zaproxy-develop/G1ps5jnCZqc/f7o2AZobAgAJ

[Sam]

Thanks for sharing the URLs, actually I already tried these scripts but was failing to achieve the required goal.

My bad, I should have taken a closer look to the scripts shared by Laurent Jubeau before asking a redundant question here.

However, I was geting error for HTTP Sender Script at step 2 shared by Laurent Jubeau and the error was "No script interface found for HttpSender script". The script was also getting dissabled automatically

Later, when I used the default template of script I found one extra function in that which is as under

function responseReceived(msg, initiator, helper) {
 
}

If this function is missing "No script interface found for HttpSender script" error is generated. Well, I am not sure of reasons.

Now, I am able to achieve this exactly as I want. 

Great Tools Guys..!!

Thanks

[kingthorin+owaspzap]

Thanks for letting us know.

Would you mind opening an issue for a more descriptive error when the necessary function is missing? [1]

[1] https://github.com/zaproxy/zaproxy/issues/new

[Sam]

Add a new issue for descriptive error https://github.com/zaproxy/zaproxy/issues/2614

[thc...@gmail.com]

Thanks for raising the issue.

Best regards.

On 23/06/16 07:29, Sam wrote:
> Add a new issue for descriptive
> error https://github.com/zaproxy/zaproxy/issues/2614
>

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/801b3f84-b7eb-4200-bcd1-78415ff7d1dc%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/801b3f84-b7eb-4200-bcd1-78415ff7d1dc%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Kamalpreet Kaur]

Hi Sam,

Can you please share your final script as I have exactly same requirement.

Thanks

Sims

[Sam]

Hi Sims,

Its been long, I think my SenderScriptToken script was something like this 

function sendingRequest(msg, initiator, helper) {


 var loginToken = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("logintoken");


 msg.getRequestHeader().setHeader("Authorization", "Bearer " + loginToken);
 
 println('Sending Request called for url=' + msg.getRequestHeader().getURI().toString())
}


function responseReceived(msg, initiator, helper) {
 
}

Hope this will help.

Regards,

Sam

[Kamalpreet Kaur]

Thanks Sam. I could develop it using the template. The authentication is working as expected.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/146cc56b-8506-4ee6-9894-1aab4286f8ca%40googlegroups.com.

[Teja Banka]

I've been working on this for swagger, no luck. Can someone please send the updated Auth script and HTTP Sender please ? 

Im getting the Authorization : Bearer Undefined on request.

On Thursday, August 30, 2018 at 10:52:55 PM UTC-4, SimsHere wrote:

Thanks Sam. I could develop it using the template. The authentication is working as expected.

On Mon, 27 Aug 2018 at 4:29 PM, Sam <samarth....@gmail.com> wrote:

Hi Sims,

Its been long, I think my SenderScriptToken script was something like this 

function sendingRequest(msg, initiator, helper) {


 var loginToken = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("logintoken");


 msg.getRequestHeader().setHeader("Authorization", "Bearer " + loginToken);
 
 println('Sending Request called for url=' + msg.getRequestHeader().getURI().toString())
}


function responseReceived(msg, initiator, helper) {
 
}

Hope this will help.

Regards,

Sam

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaprox...@googlegroups.com.

[Teja Banka]

please find the attachment for Auth credentails that I gave.

// This authentication script can be used to authenticate in a webapplication via forms.

// The submit target for the form, the name of the username field, the name of the password field

// and, optionally, any extra POST Data fields need to be specified after loading the script.

// The username and the password need to be configured when creating any Users.

// The authenticate function is called whenever ZAP requires to authenticate, for a Context for which this script

// was selected as the Authentication Method. The function should send any messages that are required to do the authentication

// and should return a message with an authenticated response so the calling method.

//

// NOTE: Any message sent in the function should be obtained using the 'helper.prepareMessage()' method.

//

// Parameters:

// helper - a helper class providing useful methods: prepareMessage(), sendAndReceive(msg)

// paramsValues - the values of the parameters configured in the Session Properties -> Authentication panel.

// The paramsValues is a map, having as keys the parameters names (as returned by the getRequiredParamsNames()

// and getOptionalParamsNames() functions below)

// credentials - an object containing the credentials values, as configured in the Session Properties -> Users panel.

// The credential values can be obtained via calls to the getParam(paramName) method. The param names are the ones

// returned by the getCredentialsParamsNames() below

function authenticate(helper, paramsValues, credentials) {

print("Authenticating via JavaScript script...");

// Make sure any Java classes used explicitly are imported

var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader")

var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader")

var URI = Java.type("org.apache.commons.httpclient.URI")

// Prepare the login request details

var requestUri = new URI(paramsValues.get("Target URL"), false);

var requestMethod = HttpRequestHeader.POST;

// Build the request body using the credentials values

var extraPostData = paramsValues.get("Extra POST data");

var requestBody = paramsValues.get("Username field") + "=" + encodeURIComponent(credentials.getParam("Username"));

requestBody+= "&" + paramsValues.get("Password field") + "=" + encodeURIComponent(credentials.getParam("Password"));

if(extraPostData.trim().length() > 0)

requestBody += "&" + extraPostData.trim();

// Build the actual message to be sent

print("Sending " + requestMethod + " request to " + requestUri + " with body: " + requestBody);

var msg = helper.prepareMessage();

msg.setRequestHeader(new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10));

msg.setRequestBody(requestBody);

// Send the authentication message and return it

helper.sendAndReceive(msg);

print("Received response status code: " + msg.getResponseHeader().getStatusCode());

return msg;

}

// This function is called during the script loading to obtain a list of the names of the required configuration parameters,

// that will be shown in the Session Properties -> Authentication panel for configuration. They can be used

// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)

function getRequiredParamsNames(){

return ["Target URL", "Username field", "Password field"];

}

// This function is called during the script loading to obtain a list of the names of the optional configuration parameters,

// that will be shown in the Session Properties -> Authentication panel for configuration. They can be used

// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)

function getOptionalParamsNames(){

return ["Extra POST data"];

}

// This function is called during the script loading to obtain a list of the names of the parameters that are required,

// as credentials, for each User configured corresponding to an Authentication using this script 

function getCredentialsParamsNames(){

return ["Username", "Password"];

}

HTTP Sender

// The sendingRequest and responseReceived functions will be called for all requests/responses sent/received by ZAP, 

// including automated tools (e.g. active scanner, fuzzer, ...)

// Note that new HttpSender scripts will initially be disabled

// Right click the script in the Scripts tree and select "enable"  

// 'initiator' is the component the initiated the request:

// 1 PROXY_INITIATOR

// 2 ACTIVE_SCANNER_INITIATOR

// 3 SPIDER_INITIATOR

// 4 FUZZER_INITIATOR

// 5 AUTHENTICATION_INITIATOR

// 6 MANUAL_REQUEST_INITIATOR

// 7 CHECK_FOR_UPDATES_INITIATOR

// 8 BEAN_SHELL_INITIATOR

// 9 ACCESS_CONTROL_SCANNER_INITIATOR

// 10 AJAX_SPIDER_INITIATOR

// For the latest list of values see the HttpSender class:

// https://github.com/zaproxy/zaproxy/blob/master/zap/src/main/java/org/parosproxy/paros/network/HttpSender.java

// 'helper' just has one method at the moment: helper.getHttpSender() which returns the HttpSender 

// instance used to send the request.

//

// New requests can be made like this:

// msg2 = msg.cloneAll() // msg2 can then be safely changed as required without affecting msg

// helper.getHttpSender().sendAndReceive(msg2, false);

// print('msg2 response=' + msg2.getResponseHeader().getStatusCode())

function sendingRequest(msg, initiator, helper) {

 var loginToken = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("logintoken");

var authHeader = "Bearer " + loginToken;

    // set a Http Header

      var httpRequestHeader = msg.getRequestHeader();

      httpRequestHeader.setHeader("Authorization", authHeader);

      httpRequestHeader.setHeader("Access_Key", "my access key");

      msg.setRequestHeader(httpRequestHeader);

// Debugging can be done using println like this

print('sendingRequest called for url=' + msg.getRequestHeader().getURI().toString())

}

function responseReceived(msg, initiator, helper) {

// Debugging can be done using println like this

print('responseReceived called for url=' + msg.getRequestHeader().getURI().toString())

}

please help. thanks