facing issues with the Forced User Mode in OWASP ZAP for application with authentication AWS Cognito (via a custom authentication flow) and SAML-based authentication.

46 views
Skip to first unread message

bharat varkala

unread,
Dec 5, 2024, 8:12:48 AMDec 5
to ZAP User Group

I’m facing issues with the Forced User Mode in OWASP ZAP for two different applications I am testing. These applications use different authentication methods: AWS Cognito (via a custom authentication flow) and SAML-based authentication. Below are the details for each scenario:

AWS Cognito (Application 1):

  • The login flow for this application occurs in three separate POST requests. Here’s a breakdown of the flow I observe in the ZAP Sites section:
    1. First POST request: The login begins with the CUSTOM_AUTH flow, sending the username, password, and SRP_A challenge parameters.
    2. Second POST request: The PASSWORD_VERIFIER challenge is sent along with the password claim signature and session details.
    3. Third POST request: The final request returns the AccessToken.
  • I have confirmed that there is no multi-factor authentication (MFA) in this process. However, when I enable Forced User Mode and launch the browser, ZAP opens the application URL but does not automatically fill in the credentials or complete the authentication process, even though the username and password are correctly provided in the context file.
  • When I run the Authentication Tester, ZAP successfully logs in by sending these three POST requests and creates the context file. After configuring the authentication method to “Form-based Authentication” and specifying the correct URLs and parameters, Forced User Mode still does not automatically fill in the credentials in the login form during manual exploration.

SAML-based Authentication (Application 2):

  • This application uses IDP SAMLRequest for authentication. After configuring the context file for SAML-based authentication, I encounter the same issue: Forced User Mode does not auto-fill the credentials or log in automatically, even though the authentication process works fine when manually tested using the Authentication Tester.

Steps I’ve Followed for Both Applications:

  1. Authentication Tester: I provide the target URL, username, and password, and the tester successfully logs in and creates the context file.
  2. Context Configuration: I configure the context for both applications (AWS Cognito and SAML) by selecting the correct authentication method (Form-based or SAML) and ensuring that the correct login URLs, POST data, and parameters are specified.
  3. Forced User Mode Setup: After enabling Forced User Mode, I select “Manual Explore” and launch the browser. The browser opens, navigates to the login page, but the credentials are not auto-filled, and the login process does not complete.

Questions:

  • For AWS Cognito, given that the login involves multiple POST requests (custom auth, password verifier, and access token), what might be missing in the context file configuration that prevents ZAP from completing the login process in Forced User Mode?
  • For the SAML-based login, is there any additional configuration required to handle redirects or token exchanges that might interfere with ZAP’s ability to simulate the login in Forced User Mode?
  • Are there any specific logs or error messages in ZAP that I should check to help debug the issue with Forced User Mode for both AWS Cognito and SAML applications? 


Cheers,
Bharat 


Simon Bennetts

unread,
Dec 6, 2024, 12:03:50 PMDec 6
to ZAP User Group
Hi Bharat,

Do NOT use Forced User Mode in automation. Never.
We've updated the help so this will hopefully be clearer soon.
If the Auth Tester works then just use the context which that generates.

Cheers,

Simon

bharat varkala

unread,
Dec 10, 2024, 8:55:56 AM (12 days ago) Dec 10
to ZAP User Group

OK got it. Now i am able to auto login in 1 application but not for the other. let me explain it to you / reframe it to you.

Query:

I'm currently working with ZAP (Zed Attack Proxy) for performing authentication tests and scans on two web applications, each using different authentication mechanisms. While forced user mode works fine for one application (App 1 using SAML), it's not working for the other application (App 2 using AWS Cognito). Here's the detailed process I am following for setting up the scan, along with the issues I'm encountering:

Steps to Perform ZAP Scan:

  1. Opening ZAP Desktop Application

    • I start by opening the ZAP desktop application.

  2. Persist Session

    • When prompted, I select the second option: Persist this session in a specific location with name.

  3. Authentication Tester Setup

    • I click on the Tools tab and select the Authentication Tester.
    • In the Authentication Tester, I input the following details:
      • Application Login URL
      • Context file name
      • Username and password for the application
      • I leave the browser's default settings.
    • I then click on the Test button to run the authentication test.
    • The result section shows the test status as Passed.

  4. Authentication Tester Passes

    • Once the authentication test passes, I return to the main screen.

  5. Context File Creation and Update

    • After running the authentication tester successfully, a context file is created with the specified name.
    • I open the context file, go to the Authentication section, and change the authentication method from "Browser-based authentication" to "Form-based authentication".
    • Under Form-based authentication, I configure the method as follows:
      • Login From Target URL:
        • I click the Select button, which opens the pop-up with the sites in the current session.
        • I select the application login POST URL, which fills in the following fields:
          • URL to GET Login Page
          • Login Request POST Data
          • Username and password
        • Configure Authentication Verification
          • Verification Strategy : Check every Response.
          • Regex Pattern used to identify Logged In messages
          • Regex Pattern used to identify Logged Out messages

  6. Returning to Main Screen and Manual Exploration

    • I click OK to save the configuration and return to the main screen.
    • I then click on Manual Explore and enter the application URL in the URL to Explore section.
    • After clicking Launch Browser, the application opens in the browser.

  7. Login and Logout Actions

    • I enter the username and password and log into the application.
    • Once logged in, I log out of the application.

  8. Enabling Forced User Mode

    • I click to enable the Forced User Mode.

  9. Manual Exploration Again

    • I click on Manual Explore again, input the application URL, and click Launch Browser.
    • This opens the application in the browser.
Issue Encountered:

After following all the steps above, when the application is opened again, it should automatically log in using the credentials from the context file due to the enabled Forced User Mode. However, the login does not occur automatically for one of the applications.

Applications and Authentication Mechanisms:

  1. App 1 – SAML-based Authentication:

    • This application uses SAML-based authentication via an IDP SAMLRequest for login.
    • The forced user mode works as expected. When I click on Launch Browser, the application opens in the browser, and it automatically logs in using the provided credentials from the context file.

  2. App 2 – AWS Cognito Authentication:

    • This application uses AWS Cognito via a custom authentication flow.
    • The forced user mode is not working for this application. When I click on Launch Browser, the application opens in the browser, but it does not log in automatically.
    • Upon reviewing the login flow in the ZAP sites section, I observe that the login occurs in three separate POST requests:
      1. First POST request: Begins with the CUSTOM_AUTH flow, sending the username, password, and SRP_A challenge parameters.
      2. Second POST request: Sends the PASSWORD_VERIFIER challenge, along with the password claim signature and session details.
      1. Third POST request: The final request returns the AccessToken.
      1. I have confirmed that there is no multi-factor authentication (MFA) involved in this process.
        • When I run the Authentication Tester, ZAP successfully logs in by sending these three POST requests and creates the context file. After configuring the authentication method to “Form-based Authentication” and specifying the correct URLs and parameters, Forced User Mode does not automatically fill in the credentials in the login form during manual exploration.

    Questions and Help Request:

    • Session Handling in AWS Cognito

      • Could the session handling in AWS Cognito be interfering with the forced user mode? Specifically, does ZAP need to retain session tokens or cookies across the multiple POST requests in the custom authentication flow?

    • Custom Authentication Flow in ZAP

      • Could the multi-step POST requests in AWS Cognito's custom authentication flow be causing the issue with automatic login?
      • Are there any additional configurations in ZAP that need to be done to handle multi-step authentication flows like the one used by AWS Cognito ?   
      • Is there a recommended way to configure ZAP to handle multi-step authentication flows like the one used by AWS Cognito? Should I be using a specific ZAP add-on or configuration to capture and handle these multi-step POST requests?

    • Automatic Login Behavior for Multi-Step Authentication

      • Why is the forced user mode working fine for App 1 (SAML) but not for App 2 (AWS Cognito)?
      • Is there a known limitation with ZAP when dealing with custom authentication flows (like AWS Cognito's) where the automatic login doesn’t work as expected? If so, how can I work around this limitation?

    • Browser Configuration in ZAP

      • Could the browser configuration within ZAP be impacting the forced user mode in App 2 (AWS Cognito)? Are there any browser settings or specific configurations that need to be modified to allow automatic login after authentication?


    Cheers,
    Bharat 

    Simon Bennetts

    unread,
    Dec 18, 2024, 4:41:22 AM (4 days ago) Dec 18
    to ZAP User Group
    Hi Bharat,

    Sorry, I thought I had made it clear.
    Do NOT use Forced User Mode in automation!

    If the Authentication Tester passes then just use the context that it generates. Thats all you need to do.
    That will have the authentication, session management and verification setting configured.
    You _can_ change these, but only if you _really_ know what you are doing.

    Cheers,

    Simon
    Reply all
    Reply to author
    Forward
    0 new messages