Authorisation in automation framework

54 views
Skip to first unread message

Asker

unread,
Oct 30, 2024, 4:36:09 AMOct 30
to ZAP User Group
Hello!

I try to set up automation active scan with authentication with script based auth but have a fail.
What are necessery to run active scan with checking session and automatic re-auth if session was terminate? 
I set up this options:
1) context - Authentication - script based - load zest script. Script handle auth token and set it to global variable.
2) activate http sender script to check and replace auth token from global variable. Script works fine (looking at other tests). 
3) context -  Authentication  - verification strategy - I'm try to set up check every response to handle in body regex via ".*non authorized.*", but it dont work
4) Session management - I'm try to set up Cookie-based or auto.
5) Context - authorization - I'm try to set up check every response to handle in body regex via "non authorized", like p.3,  but it dont work
6) in automation plan I'm set import HAR, activate httpsender script and active scan. But unauthorized patterns dont works and I cath in active scans result messages via ""non authorized". Zest auth script not started.

What of  options must be activated to check session and re-auth if session was terminated. What a trigger to run auth script?

Thanks.


Simon Bennetts

unread,
Oct 30, 2024, 9:02:35 AMOct 30
to ZAP User Group
Have you read these docs?
The ZAP authentication handling is _very_ flexible, so there is no one set of steps you need to follow.
Look at the above docs, and if those dont help then:
  • Are any errors logged?
  • Can you reproduce the problem in the ZAP Desktop?
Cheers,

Simon

Asker

unread,
Oct 30, 2024, 10:48:06 AMOct 30
to ZAP User Group
Yes, sure, but it not help.
I start plan in ZAP Desktop. 
Note: my web application have a two-factor auth with 10+ requests chain. But zest auth script worked succesfully.

The problem was in mechanism of verification authentication.
I try to use special request to URL and check response and poll frequency - 20 requests.
But this request never sending.  It dont present in history tab or in active scan tab or zest tab.
In logs - not errors, all jobs are started and sucessfully ending. 
Or if I use verification on every request, same problem. I think, it not started/worked, like poll request method. 

Maybe it is necessary to activate some options to starting auth verification mechanism? 
Note: my web application have a two-factor auth with 10+ requests chain. But zest auth script worked succesfully. 

My yaml:
env:
  contexts:
  - name: test_context
    urls:
    - https://first.example.com
    - https://second.example.com
    includePaths:
    - https://first.example.com.*
    - https://second.example.com.*
    excludePaths:
    - https://third.example.com.*
    authentication:
      method: script
      parameters:
        script: /home/user/.ZAP/scripts/scripts/authentication/auth.zst
        scriptEngine: Mozilla Zest
      verification:
        method: poll
        loggedInRegex: ".*\"status\".:.\"success\".*" # OR ""status".:."success"" OR "success" OR lot of variants
        loggedOutRegex: ".*\"status\".:.\"notAutorized\".*" # same lot variants
        pollFrequency: 20
        pollUnits: requests
        pollUrl: https://second.example.com/bla/bla/bla/clientinfo
        pollPostData: "{\"param\":{\"param\":\"param\"}}"
    sessionManagement:
      method: cookie
    technology: {}
    structure: {}
  parameters: {}
jobs:
- type: passiveScan-config
  parameters: {}
- type: import
  parameters:
    type: har
    fileName: /home/user/ZAP/har1.har
- type: activeScan
  parameters:
    context: test_context
    user: ""
    policy: ""
    maxRuleDurationInMins: 0
    maxScanDurationInMins: 0
    maxAlertsPerRule: 0
  policyDefinition:
    defaultStrength: medium
    defaultThreshold: medium
- type: passiveScan-wait
  parameters: {}
- type: report
  parameters:
    template: risk-confidence-html
    reportTitle: ZAP by Checkmarx Scanning Report
    reportDescription: ""


среда, 30 октября 2024 г. в 16:02:35 UTC+3, psi...@gmail.com:

Simon Bennetts

unread,
Oct 31, 2024, 7:16:34 AMOct 31
to ZAP User Group
You need to define a user in your plan and to use that in the relevant jobs.
If your scripts contain the credentials then you can put dummy ones in the plan, but they are needed.
Also, you are not exploring your app.
You need to do that before active scanning.

Cheers,

Simon

Asker

unread,
Oct 31, 2024, 8:41:06 AMOct 31
to ZAP User Group
Thanks a lot!

Yes, In my case zest script contain credentials.
You mean, points in context "users" and "forced users", right?  
Is it possible to use in zest script variable that gets creds from yaml? 

четверг, 31 октября 2024 г. в 14:16:34 UTC+3, psi...@gmail.com:

Simon Bennetts

unread,
Oct 31, 2024, 10:14:13 AMOct 31
to ZAP User Group
NO! Do NOT used "forced users" in automation.
That was only ever meant for manual testing. I need to update the docs to make that much clearer ;)


Re passing an AF param into a Zest script .. let me get back to you on that ..

Cheers,

Simon

Simon Bennetts

unread,
Oct 31, 2024, 10:40:45 AMOct 31
to ZAP User Group
You'll probably need to set an environmental variable using a "standard" script (eg JavaScript).
That can then be read in Zest.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages