Authentication and Authorization is ZAP

[Asfandyar Sabri]

Hello,

I need help with ZAP's authentication and authorization. I'm new to ZAP and security.

I have been given a task that I need to integrate ZAP in our CI/CD pipeline. For phase 1, I need to scan our site using ZAP GUI.

1. Our site is behind the VPN for now.

2. It requires Microsoft login to login the site.

3. We have MFA, so upon login, I need to verify the login with authenticator app on my phone.

4. Finally, the response has access token which is used for sign in.

Now I need to perform automated scan on our site.

Here is what I have done so far:

1. Added credentials to users.

2. Manually set bearer token in Http Sender, Add Zap Header.js script.

3. Used community scripts to setup authentication and set access token from a Global variable in AddBearerTokenHeader.js script. 

Can someone help?

[Simon Bennetts]

See https://www.zaproxy.org/docs/authentication/

Especially the first bit about making your life easier.

Using ZAP on an app with MFA enabled is making your life much harder - ask for an instance without that, for a start.

Cheers,

Simon

[Asfandyar Sabri]

Thank you for the reply. Will look more into that.

[Asfandyar Sabri]

Hello again Simon,

So, I contacted my team and now I have a test user that does not require MFA. Now my use case is as following:

1. I go to my URL

2. If not signed in, I'm redirected to sign in page.

3. After entering email. I press the login button which redirects me to password page.

 

4. I enter my password and login. 

5. Upon login, a bearer token is generated that I need.

I'm still stuck at authentication. Also, please know that the proxy browser that I open inside ZAP cannot access my site. Please see:

Almost all the other sites are working inside the proxy browser but mine. My site is currently behind a VPN. Does that have anything to do with it?

I also tried authentication tester and that too failed at browser opening.

I also watched your SSO video where you were using selenium to automate login. In that you were also using a browser, and since I cannot use a browser, I'm stuck.

My ultimate goal is to integrate ZAP in my products CI/CD pipeline and for phase 1 I'm trying to do everything using GUI as you suggest.

I will wait for your reply.

Regards,

[Simon Bennetts]

OK, so we need to get the browsers that ZAP launches to be able to access your site.

I suspect the VPN will be the problem.

Presumably you can get the browser you normally use to access this site?

If so, do you know how that works?

Does it use a browser extension or ??

Cheers,

Simon

[Asfandyar Sabri]

I have a desktop extension that I connect to be able to access some sites. It's company specific VPN. However, I believe that was a bug. I tried restarting ZAP and I was able to access my site using ZAP's in-built browser. I faced the problem when I created a new session within ZAP window. Apparently if I do that, my ZAP browser will not access my site:').

I tried reproducing that and I was successful. So, on ZAP first launch, everything works fine but if I create a new session, then ZAP's browser wouldn't access my site. 

Coming back to our case:

I added HTTP authentication and a test user to my context. ZAP showed some sites in context that it was not showing previously. So I believe the login was successful because I can only access those pages after logging in.

How should I proceed from here?

Remember, my ultimate goal is to integrate ZAP in our app's CI/CD pipeline.

Thanks,

[Simon Bennetts]

Always try to make your life easier :)

Can you run ZAP somewhere where you dont need the VPN?

Or run the test app somewhere where you dont need the VPN?

Will you need to use the VPN in CI/CD?

If not then you'll have to try to debug the VPN problem :/

I think its more likely to be a problem with the VPN than ZAP, but obviously I cant be sure.

Cheers,

Simon