Authentication using Cookie based

[Diane Smith]

Hi all,

I have a website that I'm doing an active scan, and it uses cookie-based authentication.

However, the cookie times out after 10 minutes.

Eventually, zap logs in again (using the form based authentication that I setup).

And that eventually times out after 10 minutes. And so on.

Is there a way to stop zap active scan when it is not authenticated,

and resume it when it is?

The reason is that when scan is not authenticated (after timeout), I get

some high Alerts that seem to be false positive. 

Please advise on how best to handle the above situation.

Thanks,

Diane

[Diane Smith]

 

I am pretty stuck and would really appreciate any feedback, or direction on this.

Thank you!

[Simon Bennetts]

How are you handling authentication?

Are you using ZAP to perform authentication, and if so what verification strategy are you using?

Cheers,

Simon

[Diane Smith]

Thanks Simon for getting back with me.

I'm using zest script for authentication, which I recorded while logging to the website.

Unfortunately, I don't have an automated way for verification strategy.

However, when I run scan from desktop, I see it authenticated

(the header shows the user name), and after a while, it gives 401 Unauthorized.

And after a while, it authenticates again (because url redirects to /login).

Thanks for any help.

[Simon Bennetts]

Right now the only way ZAP will be able to help is if you define a verification strategy.

Can you find a url the reliably indicates if you are logged in or not?

[Diane Smith]

Thanks Simon for clarification. That seems to have fixed it.

I found URL that I can use.

So, I used Verification Strategy: Poll the specified URL.

I put Regex pattern for Logged out messages.

I set Poll frequency to 60 Requests.

Then, I did 2 scans back to back, and the alerts from

the 2 scans were much more similar than before.

2 followup questions:

1) Should I change poll frequency to something else?

2) I'm using python with owasp-zap, and I noticed that python api does not

support poll frequency as context verification strategy. Is this true?

If so, is there a workaround?

Again, thanks Simon for all your help.

[Simon Bennetts]

Replies inline:

2 followup questions:

1) Should I change poll frequency to something else?

That all depends on your application and what your requirements are.

If the poll request is relatively quick and doesnt consume many resources then you could reduce the frequency.

This will result in more poll requests but you should find out if you are no longer authenticated more quickly.

 

2) I'm using python with owasp-zap, and I noticed that python api does not

support poll frequency as context verification strategy. Is this true?

If so, is there a workaround?

I do not recommend setting up contexts via individual API calls.

Instead I think its usually much better to set up the context in the ZAP desktop where you can check that it appears to be working as required.

Then export that context to a file.

You can import this context file via the API - this is supported by the python API.

Pro tip - you can actually call any ZAP APOI endpoint using the python API even if it is not explicitly supported ;)

We should document that somewhere...

Cheers,

Simon

[Diane Smith]

Thanks Simon for the tips and suggestions above.

Re context and saving it as a file, that may not work for our environment,

because we may have different base urls that we can scan.

Can context accept variable base urls which we can supply during runtime?

Again, thanks.

[Simon Bennetts]

No, but if you're going down that route then definitely have a look at the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

Thats designed for that sort of usecase.

Cheers,

Simon

[Diane Smith]

Great.

Thank you so much!