Ajax authenticated scanning through local api
155 views
Skip to first unread message
Aakhash Ganesh
Dec 26, 2023, 11:30:41 AM12/26/23
to ZAP User Group
Hello,
I want to do some authenticated scanning based on some header and cookies through the zap local api. I have an authentication and http sender script that takes in cookies and authentication token and passes it on as the header. I have this flow working for spider and active scans but when I perform an Ajax spider scan. It doesn’t have the authentication. What apis and process should I be using for this flow. I followed this video https://youtu.be/F5CyM4akOAs?si=FBrw6vv6SqXiGYyB to perform the scan locally and I was able to get the Ajax spidering working. But we’re having trouble automating this using the local api.
———————————
Thank You,
Aakhash Ganesh
Ajey K
Dec 28, 2023, 4:10:25 AM12/28/23
to ZAP User Group
Hello,
For the above Ajax Spider scan we flagged a few fields as session fields and then starting the Ajax Spider scan using the session with the marked fields gives lot of valid URLs list as result.
But the same trying to achieve thru the APIs in this order is not yielding the same set of results:
Interface.HttpSessions().CreateEmptySession(target, <contextId>)
Interface.HttpSessions().SetSessionTokenValue(target, <contextId>, key, value)
Interface.HttpSessions().SetActiveSession(target, <contextId>)
Interface.AjaxSpider().Scan(target, "true", <contextId>, "true")
Need inputs to achieve the same results from the API as getting from the ZAP-GUI.
Thank you
Ajey
Simon Bennetts
Dec 28, 2023, 9:52:05 AM12/28/23
to ZAP User Group
Authenticating to your app via headers and cookies wont log you in via a browser.
It _is_ possible to login to some apps by injecting session tokens, but its very app specific.
See https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/ for an example.
But this is not the recommended option.
I suggest you have a look at browser based auth: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/browser-auth/
Ideally in conjunction with auth auto detection: https://www.zaproxy.org/blog/2023-05-02-authentication-auto-detection/
For lots more info on how to handle authentication in ZAP see https://www.zaproxy.org/docs/authentication/
Cheers,
Simon
Aakhash Ganesh
Dec 29, 2023, 5:48:23 AM12/29/23
to ZAP User Group
Browser based authentication doesn’t seem to be something I can use for my use case as the authentication flow is an Oauth2.0 system. That’s why, from what I could understand from the docs and zap videos, I selected the http session tokens method.
Is there a way to get around this issue using browser based through the api? I couldn’t find any documentation on that.
Is there a way to get around this issue using browser based through the api? I couldn’t find any documentation on that.
Simon Bennetts
Dec 29, 2023, 5:50:05 AM12/29/23
to ZAP User Group
Does your application have a web based UI?
If it does, how do you authenticate? Via a login page or ??
Aakhash Ganesh
Dec 29, 2023, 3:27:38 PM12/29/23
to ZAP User Group
It uses azure ad. So it’s the Microsoft multipage login.
Simon Bennetts
Dec 30, 2023, 6:00:48 AM12/30/23
to ZAP User Group
Does your application have a web based UI?
Do you know of any example Microsoft multipage login examples we can test against?
Reply all
Reply to author
Forward
0 new messages