Form Auth on GH Actions
192 views
Skip to first unread message
Rakesh Partapsing
Dec 3, 2021, 10:00:29 AM12/3/21
to OWASP ZAP User Group
Hi There,
I came across this:
https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms
But how does this work on github actions?
I'm trying to scan this page https://status.staging.cp.kpn-dsh.com/ which is behind Keycloak Authentication.
Help is appreciated.
Best wishes,
Rakesh
I came across this:
https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms
But how does this work on github actions?
I'm trying to scan this page https://status.staging.cp.kpn-dsh.com/ which is behind Keycloak Authentication.
Help is appreciated.
Best wishes,
Rakesh
Simon Bennetts
Dec 6, 2021, 4:09:07 AM12/6/21
to OWASP ZAP User Group
Hi Rakesh,
The ZAP GitHub actions do not currently directly support authentication I'm afraid.
If you can authenticate using a header then the authentication env vars may work as per https://www.zaproxy.org/docs/authentication/handling-auth-yourself/ but I havnt tried it myself.
If that doesnt work for you then you could try createing a new action which calls one of the packaged scans directly: https://www.zaproxy.org/docs/docker/
Cheers,
Simon
Rakesh Partapsing
Dec 6, 2021, 5:11:10 AM12/6/21
to OWASP ZAP User Group
Hi Simon,
Thank you for your response!
I could the docker containers indeed. Is there an example of such a context file? and where to find post 2.9.0?
-U user username to use for authenticated scans - must be defined in the given context file (post 2.9.0)
Best wishes,
Rakesh
Thank you for your response!
I could the docker containers indeed. Is there an example of such a context file? and where to find post 2.9.0?
-U user username to use for authenticated scans - must be defined in the given context file (post 2.9.0)
Best wishes,
Rakesh
Simon Bennetts
Dec 6, 2021, 5:35:08 AM12/6/21
to OWASP ZAP User Group
Hi Rakesh,
We always recommend setting up and testing authentication using the ZAP Desktop.
Once you know thats working you can export the context file from the desktop to use in the packaged scans.
All of the latest docker images use ZAP 2.11.0 or later.
Cheers,
Simon
Rakesh Partapsing
Dec 6, 2021, 9:02:23 AM12/6/21
to OWASP ZAP User Group
Hi Simon,
How does one handle session id's when authenticating. Like in keycloak, everytime one logs in, there is a different session code.
No luck so far logging in this site using flag as content -> default context: form based...
best wishes,
Rakesh
No luck so far logging in this site using flag as content -> default context: form based...
best wishes,
Rakesh
Simon Bennetts
Dec 6, 2021, 9:37:35 AM12/6/21
to OWASP ZAP User Group
Hi Rakesh,
Have a look at https://www.zaproxy.org/docs/authentication/
As you'll see its not complete, but it will give you more of an idea of what you'll need to do.
Everything is documented elsewhere, but the plan is to pull it all together in that section.
Also search for "authentication" in the tags on https://www.zaproxy.org/videos-list/ - we have lots of useful content there :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages