How to set up authentication which uses jwt tokens.
894 views
Skip to first unread message
Abhishek Jha
Jan 23, 2023, 6:32:01 AM1/23/23
to OWASP ZAP User Group
Hi,
I am trying to setup Authentication in which Authentication will be done using jwt token so I have some questions?
1. How to set up Authentication using Automation Framework.
2. It would be really helpful if I get at least steps to execute Authentication.
3. Jwt token that I will be using expires every 60 seconds , so Is there any way we may refresh it so that It does not cause any problem during active scan.
Simon Bennetts
Jan 23, 2023, 6:43:05 AM1/23/23
to OWASP ZAP User Group
The recommended approach is to configure and test authentication in the ZAP desktop and then create an AF plan from there using the context you have configured.
ZAP will set up the AF plan as per the context you give it, including any scripts you use.
If you configure ZAP to handle auth then it will check the verification URL you specify, and if verification fails then it will authenticate again.
As ypou'll see the dcos are still WIP so please ask any questions you have here - the answers may well become part of the future docs ;)
Cheers,
Simon
Abhishek Jha
Jan 31, 2023, 4:38:41 AM1/31/23
to OWASP ZAP User Group
Hi Simon I need to know how to set up zap to authenticate if it is using open-id connect protocol ?
Simon Bennetts
Feb 1, 2023, 11:46:23 AM2/1/23
to OWASP ZAP User Group
You either need to analyse and replicate all of the interactions .. or you can get the browser to handle it.
For the latter see https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/
Cheers,
Simon
Abhishek Jha
Feb 14, 2023, 2:46:49 AM2/14/23
to OWASP ZAP User Group
When I am running the automation framework by configuring it according to my project .I am getting following error code in spider job :
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopSession.js] no token
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopSession.js] no token
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address.
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopSession.js] no token
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address[JuiceShopSession.js] no token
[JuiceShopAuthentication.js] Starting proxy
java.lang.RuntimeException: java.net.BindException: Cannot assign requested address.
My question what I might be doing wrong and one more thing There is use of word token in the scripts , Is It access token or some other token , If some other token then what token is it?
Thanks
Abhishek Jha
Feb 14, 2023, 4:39:17 AM2/14/23
to OWASP ZAP User Group
If it is a session token then where can I find session token ?
Reply all
Reply to author
Forward
0 new messages