OWASP ZAP: How to use TLS client certificate authentication?

459 views
Skip to first unread message

somexp12

unread,
Aug 21, 2018, 10:11:09 AM8/21/18
to OWASP ZAP User Group
I asked this originally on Security StackExchange (https://security.stackexchange.com/questions/191772/owasp-zap-how-to-use-tls-client-certificate-authentication/191776?noredirect=1#comment379823_191776 ). The original question was answered by Mr. Bennetts, but he suggested I move it here also.

Here is the question:wn vote

Is there a way to get OWASP ZAP to send a client certificate?

I have an HTTPS website that receives client certificates for authentication. I have the certificates installed in the browser. Previously, when I went to the website (in Firefox), I would be prompted to select one of the installed certificates. I would then be authenticated with the website as the user associated with the certificate.

However after setting up the browser to use a proxy, I am no longer prompted to select a certificate and then the browser just displays this message:

"400 Bad Request
No required SSL certificate was sent
nginx/1.10.2"

It looks like I need to get OWASP ZAP to send the certificate in place of the browser or, somehow, get the browser to force ZAP to forward the certificate. Is there some way for me to do this? Is this something that ZAP supports?


Edit: My setup works like this: There are three components. Firefox, OWASP ZAP and a Selenium project. Previous, it was just Selenium and Firefox. The application I am testing has multiple users with different roles. The Selenium test cases involve logging in as one user, performing a task as that user (which generates work for another user), logging in as the next user, performing work as that user etc. Each user has its own certificate to log in.

Previously, I created multiple Firefox profiles (one for each user) and added a single certificate for each profile. When I accessed the site with one of these profiles, the browser would default to the single certificate. Selenium could then switch between users by closing the old browser and opening a new one with the correct profile.

Right now, I use ZAP by opening the appropriate browser profile, setting the proxy to localhost:8080, starting the ZAP GUI, and then running the Selenium test which uses the aforementioned profile. Latter I manually set the contexts, run the spider and switch to Attack Mode. Thus far, I have been helped in getting ZAP to use a single certificate at a time, which has been a significant change.

(The "Edit" was put in after I had gotten an answer, so I could clarify my setup and the specific work I am trying to do. I had some follow up questions, for which my setup was pertinent.)

So, it turns out that I can set the certificates that ZAP sends by going to the ZAP Options->Certificates. That location allowed me to add multiple certificates to ZAP's keystore, and I am able to switch between the certificates by using "Set Active".

At this point, I am working on getting Selenium to instruct ZAP to switch between active certificates. My selenium tests have to login as multiple users and, while they were previously successful at switching between certificates in the browser by switching between browser profiles, because ZAP is now the entity that sends the certificates, I need to find a new way to do this. 

I jumped into this before reading up appropriately on the ZAP API, so I am going back and researching that. 

kingthorin+owaspzap

unread,
Aug 21, 2018, 11:30:00 AM8/21/18
to OWASP ZAP User Group
There's a Pull Request currently in the pipeline that will probably facilitate what you need:


Reply all
Reply to author
Forward
0 new messages