Automated Keycloak authetication and Scan application Zap

[Shalini Mishra]

Hi All,

I am trying use Zap for my web app which is using Keycloak for authentication , once authentication done it redirect to application. Requirement is zap scan automatically only with app url and credential but for that I need set proxy to browser and traverse the each pages.

After follow the link for setup :

https://medium.com/@secureica/authenticated-scan-using-owasp-zap-f0a71dafe41

 In Zap output authentication failed coming.

Please suggest how to do automated scan with keycloak authentication.

Regards

Shalini Dixit

[Simon Bennetts]

Hi Shalini,

Pro tip - use our docs and not someone elses that are very out of date!

Our latest official auth docs are here: https://www.zaproxy.org/docs/authentication/

However have a look at this decision tree as well. Its currently a poc but we are in the process of moving it over to the main website:

https://github.com/psiinon/zap-auth-dt/wiki

Cheers,

Simon

[Shalini Mishra]

Thanks for reply.

I tried Authentication Tester and got the result in attachment.

Please review the Diagnostics content : >>>>>

POST https://example1/ListAccounts
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8

["token0",[]]
>>>>>
GET https://example2/
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
GET https://example3/ChRDaHJvbWUvMTIzLjAuNjMxMi41ORIgCW6cTvWGnze4EgUNNDfTKxIFDdzkyiwh0KTMr-mEIXI=
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example3/ChRDaHJvbWUvMTIzLjAuNjMxMi41ORJRCbTmrF5B_mW2EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_IbjyBhz3kidQ
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example3/ChRDaHJvbWUvMTIzLjAuNjMxMi41ORJRCbTmrF5B_mW2EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_IbjyBhz3kidQ
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
POST https://example4/v1:GetModels
content-type: application/x-protobuf
<<<
HTTP/1.1 200 OK
content-type: application/x-protobuf
>>>>>
GET https://example2/redirectUrl
<<<
HTTP/1.1 200 OK
content-type: text/plain;charset=UTF-8
>>>>>
GET https://example5/auth
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=utf-8
set-cookie: AUTH_SESSION_ID="token15";$Path="/auth/realms/tp-ptm-dsm/"
set-cookie: AUTH_SESSION_ID_LEGACY="token15";$Path="/auth/realms/tp-ptm-dsm/"
set-cookie: KC_RESTART="token16";$Path="/auth/realms/tp-ptm-dsm/"
>>>>>
GET https://example2/IBMPlexSans-Regular.woff2
<<<
HTTP/1.1 200 OK
content-type: font/woff2
>>>>>
GET https://example3/ChRDaHJvbWUvMTIzLjAuNjMxMi41ORIgCTeLWMzyJIQkEgUN541ADhIFDc5BTHohf17vZdaK04I=
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example3/ChRDaHJvbWUvMTIzLjAuNjMxMi41ORJfCTT7JSOT9hLxEgUNNDfTKxIFDdzkyiwSBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8hf6-7P-uY85YSIAlunE71hp83uBIFDTQ30ysSBQ3c5MosIX-vuz_rmPOWElEJtOasXkH-ZbYSBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNBu27_xIFDQbtu_8hf6-7P-uY85Y=
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example5/auth
cookie: AUTH_SESSION_ID="token15"
cookie: AUTH_SESSION_ID_LEGACY="token15"
cookie: KC_RESTART="token16"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=utf-8
set-cookie: KC_RESTART="token16";$Path="/auth/realms/tp-ptm-dsm/"

Please suggest how to fix the issue. Any help much appreciated

Regards

Shalini Dixit

[Simon Bennetts]

Hi Shalini,

It looks like ZAP successfully authenticated to the app, but then the app didnt make enough requests in the background for ZAP to identify the session or a suitable verification URL.

Try again, but this time:

• Increase the timeout, eg to 30 seconds
• Once the browser has logged in start exploring the site

Hopefully that will give ZAP a chance to identify the info in needs.

Cheers,

Simon