Problems w/ AJAX Spider needing browser local storage auth token

[Lucas Walter]

Hey folks,

I've been working on scripting out running the ajax spider and then an active scan running as a part of our automated build pipeline using powershell, the zap rest api, and phantomjs. The end result would be a fully automated build job that runs an ajax spider at a target app, uses the results of said spider in an active scan, and finally emails the report out to interested parties. I've been running into some difficulty with running an effective ajax spider with an authenticated context. Our ui is a SPA application built with AngularJs 1.5.8 and utilizes the browsers local storage to store an authenticated users token once they've authenticated. To navigate around various routes on the client web app, this local storage object is validated before the user can view the content at the target route if said route requires user authentication. Ideally, this local storage object could be mocked or retrieved/injected into the browser the ajax spider is running in - which would result in a more thorough mapping of the application under test. 

I've looked into form-based authentication contexts and was able to rule that one out because our login flows require more steps than can be accomplished with that method. There are several cookies and CSRF tokens that must be supplied in addition to the user credentials. Zest scripts and script-based authentication seemed like the next best option. It seems that I will be able to use that method to obtain an access token and ensure that subsequent requests in the active scan inject said token before sending to the web applications accompanying rest api. Unfortunately, I still haven't found a way to use this method as a pre-cursor for the ajax spider and am at a loss of where to go from here. Has anyone ran into this sort of problem before, or any ideas of where I could go from here?

Thanks in advance.

[Lacks Gravitas]

I'm running into a very similar problem, but I'm stumped. Any luck?

[kingthorin+owaspzap]

I don't have any immediate advice on the Ajax Spider, however, I'm curious about this auth-token in local storage. How is it bound to a single user? What prevents other users of a shared (library, school, etc) system from using it?

[Lucas Walter]

The token is stored in localStorage of the browser client and is cleared upon logout and other scenarios. As with many token based authentication auth systems that use some client storage (e.g. cookies, browser storage, etc) the user would need to log out from a shared system, clear browser cache, etc to ensure that another user cannot masquerade as the original user. The token does not contain any user secrets so even if another actor were to decode it, they would not receive any information that would allow them to gain access to that users account.

In regards to the original problem, are you aware of any ZAP capabilities that could allow for injecting in data into the browsers storage before the test is executed? If not, is there a feature request process where I could suggest this sort of thing? I feel a feature like this would be extremely effective, especially with many of the SPA based web apps that seem to be trending upward.

Thanks

[Lucas Walter]

Unfortunately, no :(. Im hopeful that someone has some feedback from this user group or that potentially a feature request could be made that would solve this issue.