Integrate ZAP Scan for an authenticated website in Azure DevOps Release pipeline

[Sneha Dominic]

Hi Team,

I have just started learning and using OWASP ZAP scan recently. So, any kind of help is appreciated : )

The requirement I am working on is to perform DAST scan for a web application. The tool we have planned to use is OWASP ZAP. Our web app is authenticated. Hence, it needs to complete authentication before performing a scan. I have found extension in Azure DevOps marketplace to perform ZAP scan, but very less details on how to automate authentication before running the scan. 

Can anyone please guide me on the steps that I can follow to setup ZAP scan with authentication in Azure DevOps release pipeline?

[Simon Bennetts]

Do you know how your authentication works?

If not then you either need to understand it or find an exsiting implementation which works.

Cheers,

Simon

[Sneha Dominic]

Apologies I missed to mention the method of authentication. We use SSO/Okta authentication for the webpage. So, once we hit the URL, it will be redirected to the login page. After successful authentication, webpage is accessible. Hence, I was looking for steps to do authentication prior to scanning.

If not then you either need to understand it or find an exsiting implementation which works--- For sure I have done a lot of research on the same before asking this question hear. But I'm unable to find a sample or similar existing implementation, for a beginner to start with. It would be a great help if I could find any reference with any of your help.

Regards,

Sneha

[Simon Bennetts]

You like making your life difficult dont you? :)

Can you run your app without auth or with a simpler auth in a safe environment?

Or can you generate an authentication token that ZAP could be inject into the requests?

Apart from the built in options the only implementations we know of are in https://github.com/zaproxy/community-scripts/tree/main/authentication

I can talk you through what you need to do if you want to go for it but I'm not able to implement and test anything like this myself right now :/

Cheers,

Simon

[Sneha]

Thanks for the suggestions Simon. I'll refer these. 

Similar to the GitHub implementation of auth scripts, that you had shared, do you have any reference for -  using an authentication token that ZAP could be inject into the requests ? 

Also, a quick question regarding your comment -  Can you run your app without auth - -- Even I was trying the same initially. But the confusion I have is that, while hitting the target URL for scan,  wouldn't it'll automatically get redirected to SSO login page. So, will the scan work successfully against the website?

[Simon Bennetts]

Replies inline

On Thursday, 8 July 2021 at 17:28:58 UTC+2 Sneha wrote:

Thanks for the suggestions Simon. I'll refer these. 

Similar to the GitHub implementation of auth scripts, that you had shared, do you have any reference for -  using an authentication token that ZAP could be inject into the requests ? 

See https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

 

Also, a quick question regarding your comment -  Can you run your app without auth - -- Even I was trying the same initially. But the confusion I have is that, while hitting the target URL for scan,  wouldn't it'll automatically get redirected to SSO login page. So, will the scan work successfully against the website?

Not if you can disable auth / SSO on your site in a test environment :)

In the past I've been able to launch browsers to authenticate to SSO sites but some SSO solutions (like Googles?) detect that browsers are controlled by software and reject them :(