Docker Form Based Authentication with required headers

[Andrew Perry]

Hi ZAP Community,

I'm following information for a docker scan from here:

https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan

The application has some Form Based Authentication but appears that the application requires some HTTP Headers (cookie values) to be set otherwise it returns a 403 response.

I am having trouble working out how to get the ZAP docker scan to detect these cookies and include them in the POST request.

My thought was to try adding these custom cookie names to the ZAP Options "HTTP Sessions" within the docker file, so that maybe they are included in the login POST request configured. Is there a way to add them via command line?

It does appear the docker scan is performing the authentication, but missing these cookie headers.

Is there any way to configure the Authentication to include either these know cookie values in the request? The values are generated in the Application response on the initial GET request to the login page.

Thanks,

Andrew.

[Andrew Perry]

I worked out how to add the HTTP Session cookies to the scan, but this did not help add the cookie to the POST request header.

-z "-config httpsessions.tokens.token\(0\).name=example -config httpsessions.tokens.token\(0\).enabled=true"

[Simon Bennetts]

Hi Andrew,

If you need ZAP to set multiple headers then right now you need to use a script.

However that will soon change - I've been working on a new "Header-based session management method" which will allow you to add an arbritrary number of headers pulling in data from a variety of sources.

Its working well locally - I'm planning on submitting a PR very soon.

This method will be added to a ZAP add-on so will work with 2.12.0.

I'll post to this thread with updates as it would be great to get some feedback about it.

Cheers,

Simon

[Andrew Perry]

Thanks Simon,

I look forward to trying it out.