Script based authentication automated in gitlab pipeline

[Merel Slingenberg]

Morning,

We are trying to automate ZAP tests in the gitlab CI/CD pipeline. I have a job file, that runs  baseline tests on a not-logged in web application. However, we want to run tests on a logged-in application. The application uses SAML2 to login (so some redirects) and with the finally retrieved Session and token, in combination with parameters regarding user information, you are logged in. I tried to automate this using 'script based authentication'. So i have a yml file for the security job, a script (.js file) for the authentication, and a context file where the parameters and urls are defined. 

However, I'm not sure if I am on the right track? There are so many possibilities (or look like they are possibilites). Besides that question, Im receiving an internal error on the context file i wrote. 

With this log in proces, how would you automate this in a (gitlab) pipeline? 

[Simon Bennetts]

Does your app have a login page?

If so have you tried the Authentication Tester Dialog?

https://www.zaproxy.org/docs/authentication/auto-detection/

If that works then it might make your life easier.

Otherwise see https://www.zaproxy.org/docs/authentication/

The context file is not officially defined anywhere - this is deliberate.

It is an internal format.

If ZAP generates a context file that it cannot read then thats a bug.

If you create a context file that ZAP cannot read then you've made a mistake somewhere :)

The recomended options for automation are listed on https://www.zaproxy.org/docs/automate/

Also see https://www.zaproxy.org/docs/getting-further/automation/automation-options/

You may well find that the Automation Framework is the best option for you - that is documented.

I have no experience with GitLab pipelines I'm afraid.

Cheers,

Simon

[Michael Endrizzi]

Agree, it is really complex because you cannot see inside of ZAP and all the 3rd party libs it uses.

 Not sure it helps, but to get a better inside view I put detailed debugging statements in all the authentication hooks

httpsender

authenticate

sessionmgt

 that dumped all the data structures on every call.

and turned on 

logger.script=debug 

rootLogger.level = debug

logger.zap.level = debug

logger.paros.level = debug

and watched the logs

and also use the httpsessions and params tab to view cookie and session info.

Then slowly enabled authentication steps 1 at a time to see what happens.

Good Luck!

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/bf266ada-6aa7-4c63-a644-ca53fbbe9a98n%40googlegroups.com.

--

 

Michael Endrizzi

michael....@gmail.com

 

"You can't lower the mountain, you can only elevate yourself"

[Merel Slingenberg]

Thank you both! I will try.

Then an other question. What is the command for a pipeline job to actually run the baseline scan with the context file? I have tried both:

- zap-baseline.py -n $CI_PROJECT_DIR/pipelines/jobs/zap-auth.yaml -t $baseUrl -g gen.conf -I -r testreport.html

- zap-baseline.py -n $CI_PROJECT_DIR/pipelines/jobs/zap-auth.xml -t $baseUrl -g gen.conf -I -r testreport.html

- zap-baseline.py -c $CI_PROJECT_DIR/pipelines/jobs/zap-auth.yaml -t $baseUrl -g gen.conf -I -r testreport.html

- zap-baseline.py -c $CI_PROJECT_DIR/pipelines/jobs/zap-auth.xml -t $baseUrl -g gen.conf -I -r testreport.html

Voor de -n I receive an 'internal error'. For the '-c' i receive the error: 'Unexpected number of tokens on line - there should be at least 3, tab separated'.

Can you please tell me if this is the 'right' command. And if not, what is should be?

Kind regards,

Merel

Op zaterdag 17 februari 2024 om 06:48:34 UTC+1 schreef michael....@gmail.com: