JWT Authentication REST API

[riyaz patikkal]

Hi ,

   I am new to penetration testing   could you possibly help me on following situation.

My scenario is as follows.

My application is REST based protected by JWT.

1) I hit  login url     http://myapienpoint/auth/login

    method      :POST 

    username: "myusername"

    password: "mypassword"

2)Response would be JWT token .Then I pass this JWT to every url to authenticate.

please help me how to do this with ZAP

Sincerly

[Ailton Caetano]

Hi Riyaz,

  actually, JWT is not an authentication method, but an authorization token. Therefore, you need to make the application generate your token and include it in your requests. 

It will be easier for you to copy the application-provided token into one of the httpsender scripts, because this type is executed in scans too. Pick one of them (maybe this,   https://github.com/zaproxy/community-scripts/blob/master/httpsender/add-extra-headers.js, or this    https://github.com/zaproxy/community-scripts/blob/master/httpsender/add_header_request.py), make the modifications as these scripts only handle headers and you will probably need the token to be inserted in the url (shout if you have any trouble) and ZAP will scan the web app normally.  


Regards, 

Ailton Caetano 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/099da9c5-2e91-4908-a7b5-5657a571fe2b%40googlegroups.com.

[kingthorin+owaspzap]

Sounds like you need to use one of the new session management scripts.

[riyaz]

HI,
Thank you for your kind email .Please excuse me for the late reply. I dint see the mail.

Actually  l would be obliged if you give  a little more explanation or steps to follow.

What I did so far is .As I mentioned earlier my Application is REST based API's.

1)Exported all postman collection to openApi defenioton.
2)imported to ZAP import->import open API defent from local system
(please attached screenshot.).

3)Every url need Authorization token bearer in Header.Please see attached screen shot.

How can I automatically scan all url by passing auth token to every url's header and find out all vulnerabilities.

                                                                                               

                                                                                 

                                                                                             Sincerely,

                                                                                             RIYAS

                                                                                            +971504323046

                                                                                                                        

                      

                              

[kingthorin+owaspzap]

Insert the header/token with an Http Sender script or Replacer rule.

[riyaz]

Hi ,

Kindly explain  how to add Http Sender script  and insert my auth token

On Fri, Apr 3, 2020 at 4:42 AM kingthorin+owaspzap <kingt...@gmail.com> wrote:

Insert the header/token with an Http Sender script or Replacer rule.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/10b6490e-fc24-4fb4-b50e-3ad9936da20f%40googlegroups.com.

--

                                                                                              

                                                                                 

                                                                                             Sincerely,

                                                                                             RIYAS

                                                                                            +971504323046

                                                                                                                        

                      

                              

[Rajesh Reddy]

Hi
You need to write the script-based authentication! once it is authenticated you will receive the JWT token, Set the JWT token as a Global variable, In HTTP sender script add Header, In HTTP sender script, get the JWT token using getGlobalVaribale and pass it in every request!

My question to the team is,
My JWT token expires after 60 sec or 300 sec, consider there is a time constraint!
How do I reauthenticate and get the JWT token during the active scan?

Any information related to this is highly appreciated!

[eri...@augment1security.com]

Hi

You might want to check out a sample script here for dealing with time constraint. It doesn't use JWT but the approach is similar. Hope this helps.

https://augment1security.com/authentication/how-to-authenticate-with-openid-connect-angular2-spa-zap-part-2/

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec

[Simon Bennetts]

Do you have a URL you can poll to check it you are logged in or not?

If so choose the "Poll the Specified URL" strategy and set a Poll Frequency of around 60 seconds.

The URL you specify will be polled every 60 seconds and if it reports you are logged out then your authentication methos will get called. That can then get the new JWT and put it in the global variable.

[Rajesh Reddy]

Thank you, everyone!
I will work on that and I will implement it

[Denis Putnam]

Hi Simon,

When you say "Poll the Specified URL" strategy, how do you do that in an automated scan?

For example I see the following response from a POST call when scanning an API:

{
"messages": [
{
"messageCode": "403",
"errorMessage": "access denied",
"messageType": "error"
}
],
"responseEntity": null,
"status": "Forbidden"
}

Is it possible to poll for that?  If so, do I just call zap.script_set_global_var() on the enabled "add-more-headers.js" community script or do I have to do something entirely different?

[Simon Bennetts]

Oh yes, you can poll for that.

If your app has a login page the the best option now is to try out the Authentication Tester Dialog: https://www.zaproxy.org/blog/2023-05-23-authentication-tester/

That attempts to login, identify the session handling and a suitable verification URL.

If that works then you can use auto-detection and not have to worry about the details.

If it doesnt work then let us know the details.

For more details on verification see https://www.zaproxy.org/docs/desktop/start/features/authstrategies/

If that doesnt make sense then let us know exactly what is not clear.

Cheers,

Simon