Configuring ZAP to handle an Firebase SPA client side authentication

[Segev Finer]

I'm trying to figure out how to configure ZAP to correctly authenticate to an SPA that uses Firebase. The authentication tester is able to use the apps login page via browser based authentication, but session management seems to just detect random cookies from third party SDKS that aren't the real session, which is actually in IndexedDB browser side, and it doesn't detect any verification URL, and I'm not sure what to do, or how to make sure stuff is configured and working correctly, as I'm not sure if it manages to login correctly with such a partial configuration.

When I run the quick start scan with the configuration the authentication tester found, it doesn't seem to actually find much, which makes me suspect it fails to login, and running the AJAX spider scan manually in non-headless mode seem to just loop on the login form forever (It keeps login in and then just closes and reopens and does it again...)

I would be glad with some help on how to configure this correctly. The app uses firebase-js-sdk which saves the actual token in IndexedDB and passes it manually in JavaScript when using the FIrebase API's which are hosted on a different domain from the app. There is no server side rendering and the token isn't passed in any other server requests to the app, so there isn't any obvious URL I can request to check if the app is authenticated outside the browser. So it should be the same as the firebase auth UI demo https://fir-ui-demo-84a6c.firebaseapp.com/.

Also a few other questions:
1. If you manually explore your app, can you somehow export the discovered URLs to be used by an automated scan?
2. Since ZAP is looking into HTTP stuff, our Vite dev server isn't configured with all the security stuff a deployed app is configured with... I'm wondering what's the best practice here? Should I fully deploy the app to a separate deployment for automated testing? Or should I try and configure a local preview server that is as close as possible to the deployed config?
3. What's the current recommended way to run ZAP automatically? And how to exclude/mark false positive some alerts in such a configuration so that such a job will only really alert when something new/actual is detected?

[Segev Finer]

Also, I have a site with a bunch of third party domains that are needed for it to function, if those are not in the context, the AJAX spider rejects with 403 all requests to them which will make the site not load, but if I had them to the context, they will appear when filtering for in scope domains which is not what I want, as I'm only interested in alerts for my own domain, so I had to define two contexts, when with all such domains and one with only my own and set them in scope to filter as I want. And it seems like I will also need to do the same for the `activeScan` in the automation framework so it will only scan my domain... But that feels convoluted and inconvenient, am I missing something? Is there a better way to do this?

[Simon Bennetts]

OK, so one step at a time.

ZAP can login - this is a good start!

ZAP can't identify the session handling - thats a shame.

Can you identify it?

You will need to identify the session tokens that are sent from the browser to your app.

They might be stored in IndexedDB but thats not really relevant, its how they are used which is important.

For more details on ZAP session handling support see https://www.zaproxy.org/docs/getting-further/authentication/session-handling/

Cheers,

Simon

[Segev Finer]

Due to being an SPA, with third party API domains, it can only tell via requests sent to a third party domain, not all requests to the app include the credentials, and the credentials are added via JS, so they won't be sent in any random fetch from the browser. I'm not sure if ZAP can handle that ATM...