Automation Framework - Is a browser(headless) being used by the scans?

[Ohav]

Hey.

I am using the Automation Framework and using all scan jobs (spider, spiderAjax and activeScan)

A thing that is very unclear for me is whether a browser takes part in my scans and if so, when and what is its value.

If a browser is being used in the scans, Is it possible to instruct the scanner to authenticate by filling a form and submitting the form using the browser and this way create an authenticated session?

Thanks

[thc...@gmail.com]

Hi.

The AJAX Spider and DOM XSS use a browser (Firefox by default). The
authentication is done automatically based on the context.

https://www.zaproxy.org/docs/desktop/addons/ajax-spider/
https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/


It's possible to use a Selenium script to fill the form and authenticate
but in most cases it's not necessary.
https://www.zaproxy.org/docs/desktop/addons/selenium/

Best regards.

On 01/08/2022 11:50, Ohav wrote:
> Hey.
> I am using the Automation Framework and using all scan jobs (spider,
> spiderAjax and activeScan)
>
> A thing that is very unclear for me is whether a browser takes part in my
> scans and if so, when and what is its value.
>

> If a browser *is being used in* the scans, Is it possible to instruct the

[Ohav]

Thanks. So if I understand correctly, for the authentication part no browser is being used.

And a follow-up 2 question:

I am using the 'ajaxSpider' after 'spider' and before 'activeScan' with the following configuration:

```

- type: spiderAjax
- type: delay
parameters:
time: 2

```

1. As can be seen, it doesn't accept the `user` parameter. So when spiderAjax is being launched, it doesn't authenticate? so it only explores URLs in the login page area?

2. If I am using the 'activeScan' job after the 'spider' job and I am using an authentcation in the 'spider job.

    Is the 'activeScan' job completely seperated from the 'spider' job, or does the 'activeScan' job is using the session which is created in the 'spider' job? Meaning, it's just a continuation scan and not a new separate scan?

Thanks

[Simon Bennetts]

I've just checked the code and the spiderAjax job _does_ support both the "user" and "context" parameters - they are configurable via the UI as well.

However the help doesnt show them, so I'll get that updated.

The spiders and the active scanner do different things. The spiders explore while the active scanner attacks things that have been explored.

They all use the same ZAP session.

Whether or not they use the same target app session is a completely different matter - if you have configured authentication correctly then ZAP will re-authenticate as required.

Cheers,

Simon

[Ohav]

Thanks Simon.

I will finish with a last question:

When authentication if configure (with the Automation Framework). Will the whole session be authenticated? I mean, is the authentication happen and the session cookie being received as the first step of the full scan?

I am asking because I wonder if ZAP will see pages that are accessible only for non-authenticated requests.

Basically, I am trying to understand if non-authenticated pages are being covered as well in an authenticated scan.

Cheers,

Ohav

[Simon Bennetts]

Hi Ohav,

If you correctly configure authentication and specify that it should be used then ZAP should only access the pages as an authenticated user.

But thats a big "if" :)

You should verify that it is all working as you expect using the authentication stats.

If you want to cover non authenticated pages as well then either run 2 plans, one with authentication and one without, or first explore and scan your sites without authentication and then explore and scan your site with authentication - you can have as many jobs as you like.

Cheers,

Simon

[Ohav]

Thanks Simon. Following up to your comment, I added the same 3 jobs without authentication to start with. Surprisingly, in this scan ZAP found less findings (1 instead of 2).

Is that possible that I have added non-authenticated scans at the start and now I see less findings then without them?

This is the following yaml I used with the 3 new jobs at the start:

```

jobs:
# Non-authenticated scan
- type: spider
- type: delay # We use a delay between scans to spot the difference between the different scans
parameters:
time: 2

- type: spiderAjax
- type: delay
parameters:
time: 2

- type: activeScan

- type: delay
parameters:
time: 2

# Authenticated scan
- type: spider
parameters:
user: authentication-user

- type: delay
parameters:
time: 2

- type: spiderAjax
parameters:
user: authentication-user

- type: delay
parameters:
time: 2

- type: activeScan
parameters:
user: authentication-user

- type: report
parameters:
template: traditional-json
reportDir: /zap/wrk
risks:
- high
confidences:
- high
- medium

```

[Simon Bennetts]

Its really hard to diagnose these things without access to the target app :)

If you can run desktop ZAP against them then run the plan that way - you can then see what if finds much more easily.

If thats not an option then see: https://www.zaproxy.org/docs/docker/diagnosing-problems/#automation-framework

Cheers,

Simon