Authentication in ZAP GitHub Actions/Localhost Target
514 views
Skip to first unread message
Luca
Apr 23, 2024, 2:52:47 AM4/23/24
to ZAP User Group
Hi, been working around the ZAP baseline/full scans in GitHub Actions for awhile and was unable to find much/or anything regarding authentication for the GitHub Actions baseline/full scans. Is there a way to set this up? (Simple login with username/password will do, but i'm unsure on where to parse these in for ZAP to use)
Any help/guidance will be much appreciated.
Thanks,
Luca
P.S Also been struggling to figure out how to set the target to localhost as it will attack the localhost of the GitHub runner, if anyone has a clue on this please do help.
Any help/guidance will be much appreciated.
Thanks,
Luca
P.S Also been struggling to figure out how to set the target to localhost as it will attack the localhost of the GitHub runner, if anyone has a clue on this please do help.
Luca
Apr 24, 2024, 3:30:55 AM4/24/24
to ZAP User Group
Hi,
Some updates on this, I've tried exporting a context that already has authentication configured from the Authentication Tester in the ZAP Desktop UI and linking that to my ZAP full scan YAML GitHub Actions file:
on:
push:
schedule:
- cron: '0 22 * * *' # Runs at 6 AM GMT+8 every day
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the webapplication
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: main
- name: Check Docker daemon status
run: |
sudo systemctl status docker || true
docker info || true
- name: ZAP Scan
uses: zaproxy/action-f...@v0.10.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://google-gruyere.appspot.com/359590344817771210252875530455144199549/'
rules_file_name: '.zap/rules.tsv'
# cmd_options: '-a'
# Additional command line options
# -j runs the AJAX spider
# -U specifies which user to select from the context file
cmd_options: '-a -d -m "1" -U "test123" -n /zap/wrk/Authentication.context'
Some updates on this, I've tried exporting a context that already has authentication configured from the Authentication Tester in the ZAP Desktop UI and linking that to my ZAP full scan YAML GitHub Actions file:
on:
push:
schedule:
- cron: '0 22 * * *' # Runs at 6 AM GMT+8 every day
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the webapplication
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: main
- name: Check Docker daemon status
run: |
sudo systemctl status docker || true
docker info || true
- name: ZAP Scan
uses: zaproxy/action-f...@v0.10.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://google-gruyere.appspot.com/359590344817771210252875530455144199549/'
rules_file_name: '.zap/rules.tsv'
# cmd_options: '-a'
# Additional command line options
# -j runs the AJAX spider
# -U specifies which user to select from the context file
cmd_options: '-a -d -m "1" -U "test123" -n /zap/wrk/Authentication.context'
Authentication.context file:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>Authentication Test</name>
<desc/>
<inscope>true</inscope>
<incregexes>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/.*</incregexes>
<tech>
<include>Db</include>
<include>Db.CouchDB</include>
<include>Db.Firebird</include>
<include>Db.HypersonicSQL</include>
<include>Db.IBM DB2</include>
<include>Db.Microsoft Access</include>
<include>Db.Microsoft SQL Server</include>
<include>Db.MongoDB</include>
<include>Db.MySQL</include>
<include>Db.Oracle</include>
<include>Db.PostgreSQL</include>
<include>Db.SAP MaxDB</include>
<include>Db.SQLite</include>
<include>Db.Sybase</include>
<include>Language</include>
<include>Language.ASP</include>
<include>Language.C</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>Language.Python</include>
<include>Language.Ruby</include>
<include>Language.XML</include>
<include>OS</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>OS.Windows</include>
<include>SCM</include>
<include>SCM.Git</include>
<include>SCM.SVN</include>
<include>WS</include>
<include>WS.Apache</include>
<include>WS.IIS</include>
<include>WS.Tomcat</include>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>6</type>
<strategy>POLL_URL</strategy>
<pollurl>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/login</pollurl>
<polldata/>
<pollheaders/>
<pollfreq>2</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>\Qtest123\E</loggedin>
<loggedout>\bSign\s*In\b</loggedout>
<browser>
<loginpageurl>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/login</loginpageurl>
<browserid>firefox</browserid>
<loginpagewait>2</loginpagewait>
</browser>
</authentication>
<users>
<user>0;true;dGVzdDEyMw==;6;dGVzdDEyMw==~dGVzdDEyMw==~</user>
</users>
<forceduser>0</forceduser>
<session>
<type>3</type>
<headers>Q29va2ll:R1JVWUVSRT17JWNvb2tpZTpHUlVZRVJFJX0=</headers>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
Firstly, I have manually changed <incregexes>https://google-gruyere.appspot.com/359590344817771210252875530455144199549.*</incregexes> to be the URL that it is (target URL) as I've realised that when its the one that ZAP gave from the Authentication Tester (which is https://google-gruyere.appspot.com.*), ZAP will automatically make alot of other instances of the Gruyere webapp and result in scans taking super long + alot of duplicate results from scanning/attacking multiple instances of the same webapp. (For context, Google Gruyere allows users to create their own instance to test security on.)
Secondly, i'm now receiving errors by changing the incregexes (include in context) and it says this in the debug message when trying to run the workflow.
Some other logs I found interesting?
(target: 'https://google-gruyere.appspot.com/359590344817771210252875530455144199549/')
Any guidance/help would be greatly appreciated (and much needed as I am completely clueless how to fix this).
Thanks,
Luca
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>Authentication Test</name>
<desc/>
<inscope>true</inscope>
<incregexes>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/.*</incregexes>
<tech>
<include>Db</include>
<include>Db.CouchDB</include>
<include>Db.Firebird</include>
<include>Db.HypersonicSQL</include>
<include>Db.IBM DB2</include>
<include>Db.Microsoft Access</include>
<include>Db.Microsoft SQL Server</include>
<include>Db.MongoDB</include>
<include>Db.MySQL</include>
<include>Db.Oracle</include>
<include>Db.PostgreSQL</include>
<include>Db.SAP MaxDB</include>
<include>Db.SQLite</include>
<include>Db.Sybase</include>
<include>Language</include>
<include>Language.ASP</include>
<include>Language.C</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>Language.Python</include>
<include>Language.Ruby</include>
<include>Language.XML</include>
<include>OS</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>OS.Windows</include>
<include>SCM</include>
<include>SCM.Git</include>
<include>SCM.SVN</include>
<include>WS</include>
<include>WS.Apache</include>
<include>WS.IIS</include>
<include>WS.Tomcat</include>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>6</type>
<strategy>POLL_URL</strategy>
<pollurl>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/login</pollurl>
<polldata/>
<pollheaders/>
<pollfreq>2</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>\Qtest123\E</loggedin>
<loggedout>\bSign\s*In\b</loggedout>
<browser>
<loginpageurl>https://google-gruyere.appspot.com/359590344817771210252875530455144199549/login</loginpageurl>
<browserid>firefox</browserid>
<loginpagewait>2</loginpagewait>
</browser>
</authentication>
<users>
<user>0;true;dGVzdDEyMw==;6;dGVzdDEyMw==~dGVzdDEyMw==~</user>
</users>
<forceduser>0</forceduser>
<session>
<type>3</type>
<headers>Q29va2ll:R1JVWUVSRT17JWNvb2tpZTpHUlVZRVJFJX0=</headers>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
Firstly, I have manually changed <incregexes>https://google-gruyere.appspot.com/359590344817771210252875530455144199549.*</incregexes> to be the URL that it is (target URL) as I've realised that when its the one that ZAP gave from the Authentication Tester (which is https://google-gruyere.appspot.com.*), ZAP will automatically make alot of other instances of the Gruyere webapp and result in scans taking super long + alot of duplicate results from scanning/attacking multiple instances of the same webapp. (For context, Google Gruyere allows users to create their own instance to test security on.)
Secondly, i'm now receiving errors by changing the incregexes (include in context) and it says this in the debug message when trying to run the workflow.
25135 [ZAP-IO-Server-1-2] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scanAsUser/] from [0:0:0:0:0:0:0:1]:
Some other logs I found interesting?
Starting new HTTPS connection (1): google-gruyere.appspot.com:443
https://google-gruyere.appspot.com:443 "GET /359590344817771210252875530455144199549/ HTTP/1.1" 200 4547
Trigger hook: zap_spider, args: 2
Spider https://google-gruyere.appspot.com/ as user test123
Starting new HTTP connection (1): localhost:49360
http://localhost:49360 "GET http://zap/JSON/spider/action/scanAsUser/?contextId=1&userId=0 HTTP/1.1" 200 18
Active Scan https://google-gruyere.appspot.com/ with policy Default Policy as user test123
Starting new HTTP connection (1): localhost:49360
How come these logs are showing that ZAP is spidering/scanning https://google-gruyere.appspot.com/, when I have clearly declared in my full scan YAML file above that the target is a different URL?
(target: 'https://google-gruyere.appspot.com/359590344817771210252875530455144199549/')
Any guidance/help would be greatly appreciated (and much needed as I am completely clueless how to fix this).
Thanks,
Luca
Simon Bennetts
Apr 30, 2024, 4:10:33 AM4/30/24
to ZAP User Group
Hi Luka,
The place to start is https://www.zaproxy.org/docs/authentication/
You _can_ add authentication to the baseline / full scan actions, but its hard.
However we now have a brand new Automation Framework Scan action: https://github.com/marketplace/actions/zap-automation-framework-scan
This is now the recommended action for any non trivial scans.
I would not recommend using a context file with an AF plan unless you absolutely have to. And if that is the case then let us know why you have to use it so we can look at fixing the problem :)
The AF environment should be able to handle the most common context configurations required.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages