Google's Dynamic Scanning against Next Auth

[יובל סגרון‎]

Hey you all! I am reaching out to seek assistance with an issue we are experiencing when running authenticated scans using the ZAP Docker image on our SaaS application, developed with Next.js and authenticated via NextAuth with Github accounts. While our GUI-based scans successfully capture all authenticated user URLs, our command-line scans fail to reflect these authenticated paths in the generated reports.

Environment Details:

• Application: SaaS built with Next.js, using NextAuth for authentication.
• Authentication Method: Login with Gmail accounts, requiring restricted scopes.
• ZAP Version: OWASP ZAP Docker image (zap2docker-stable).
• Scan Type: Full Scan.
• Authentication Setup for GUI: We flag parameters as session tokens for GUI !!scans, which works well.

Issue Description: Authenticated user URLs are not included in the scan report when running scans via the command line, despite using a similar setup as in the GUI where everything functions correctly. The report includes an alert named "Cookie Slack Detector" for URLs that should behave differently when authenticated, suggesting an issue with session token recognition.

Command Used:

docker run -t -v "$(pwd):/zap/wrk/:rw" -p 8090:8080 ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t "https://our-platform-staging-env.vercel.app" -P 8090 -c zap-casa-config.conf -r testreport.html -z "-addoninstall replacer -configfile /zap/wrk/options.prop"

Configuration File (options.prop):

replacer.full_list(0).description=Cookie replacer.full_list(0).enabled=true replacer.full_list(0).matchtype=REQ_HEADER replacer.full_list(0).matchstr=Cookie replacer.full_list(0).regex=false

replacer.full_list(0).replacement="__Secure-next-auth.session-token=blabla"

As we said, urls that are accessible for authenticated users only are not included in the final report, and this alert is being included:

• Alert: Cookie Slack Detector
• Issue: The report suggests that dropping the __Secure-next-auth.session-token cookie has no effect, raising concerns about authentication enforcement.

Assistance Requested: We seek guidance on how to ensure our command-line authenticated scans accurately reflect the access and interaction with authenticated user URLs, similar to our GUI-based scans or atleast a way for running Google's dynamic scans like described in here: https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan through the ZAP GUI ( if possible - we tried that route but the provided zap-casa-config.conf configuration file is in an unsupported format as we understood)

Thank you for any form of assistance

Best regards,

[Simon Bennetts]

Hiya,

It sounds like authentication is not working.

My first suggestion is to try the Auth env vars instead of using the replacer: https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars

You will need to specify those on the docker command line.

If that doesnt work then see https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues

Its worth noting that the packaged scans are deliberately restricted.

The Automation Framework (AF) is more flexible and may be better for this situation: https://www.zaproxy.org/docs/automate/automation-framework/

We do not currently have an AF plan for CASA but it should not be too hard to create.

Cheers,

Simon