Zap Authentication -- Microsoft Single Sign On

1,560 views
Skip to first unread message

KK

unread,
Feb 25, 2022, 4:20:47 PM2/25/22
to OWASP ZAP User Group
Hello,

I don't have too much experience using zap. Are there any tutorials for how to set up zap authentication when the method of authentication is Microsoft Azure Single Sign On? I've seen a few conversation threads, but I haven't found an answer yet.

On my own I'm trying to write an authentication script that will sign in. The script engine is ECMAScript: Oracle Nashorn. I want to then, from the script, access the page element and submit the appropriate input values on each page. It seems like Selenium would be able to do this? Could someone point me in the direction of some tutorials that use Selenium in a zap authentication script, or is there perhaps another option?

Thanks.

Simon Bennetts

unread,
Feb 28, 2022, 4:49:43 AM2/28/22
to OWASP ZAP User Group
Hiya,


If you still need to handle SSO then have a look at this video: https://play.vidyard.com/TMcBcuhyPt57sUqPcJUtpv (which is different to the one I posted in the other thread).
It may well be worth watching all of the auth related videos: search for "auth" in the tags field on https://www.zaproxy.org/videos-list/

Cheers,

Simon

Andrew White

unread,
Jul 21, 2022, 2:45:13 PM7/21/22
to OWASP ZAP User Group
Hello Simon, 

I'm faced with the same scenario as the OP. I am not able to "make life easier" and disable auth. I have watched your Juiceshop SSO video several times. Here is what was able to do thus far:

1.) Wrote/tested a Standalone Script that logs into Microsoft SSO app using Selenium
2.) Wrote Auth / Session Management / Http Sender Scripts + created a new user configured w/ new context, same as you have shown
3.) Attack the URL, same as what you did at 15:17 -- and see the browser open, selenium login, then chrome closed. Same as you have shown in the video, a few more browsers open and display '403 Forbidden ...' message (see 15:51)

Not sure where to go from here. In the video, you conclude by saying that you'll publish the scripts, blog about this, add documentation for SSO to the website. Unfortunately, I can't find any such resources anywhere... The video doesn't seem to show a working solution either, and my solution leaves off in the exact non-functional state as yours. 

Any help or guidance would be greatly appreciated. Thanks for your time and effort on this project. 

-Andrew

Volodymyr Molodets

unread,
Dec 15, 2022, 7:30:14 AM12/15/22
to OWASP ZAP User Group
This might not be 100% relevant, but guy in this post https://security.stackexchange.com/a/181853/20445 mentions, that -- you have to specify a user in the context settings although it should not be necessary because the user is part of your script. Just type in whatever you want for username and password.

Has anyone had success with that?

Kris

unread,
Jan 16, 2023, 2:34:37 AM1/16/23
to OWASP ZAP User Group
Hi all,

I'm also having trouble getting selenium to work in an authentication script (as described in this conversation: https://groups.google.com/g/zaproxy-users/c/5uWTZim43aw/m/T75YACgDAgAJ).

For me it seems like selenium simply doesn't work in authentication scripts. Steps I have taken:

1. Wrote a standalone selenium script, that logs into Microsoft SSO, which works fine
2. Wrote an authentication script using selenium, following the instructions in the video mentioned above
3. Added a user, activated script-based authentication, activated forced user mode
4. Started the ajax spider
5. One browser is opened (ajax spider)
6. Authentication script is beeing called

The authentication function used in the script is:

function authenticate(helper, paramsValues, credentials) {
     var selenium = org.parosproxy.paros.control.Control.getSingleton().
         getExtensionLoader().getExtension(
             org.zaproxy.zap.extension.selenium.ExtensionSelenium.class
         );
     var driver = selenium.getWebDriverProxyingViaZAP(1, 'firefox');
     driver.get(ANY_URL_IN_SCOPE);
}

7. A browser window is opened which seems to load the defined url, but nothing happens. It just hangs.
8. Tried several times to solve this, but it always comes down to selenium not working in authentication script.

Can anyone help?

Kris

Simon Bennetts

unread,
Jan 16, 2023, 4:35:54 AM1/16/23
to OWASP ZAP User Group
Hi Kris,

I've found our relatively recently that authentication scripts which use browsers must use a dedicated proxy.
I was working on an example script - I'll try to expedite that...

Cheers,

Simon

Kris

unread,
Jan 16, 2023, 5:42:34 AM1/16/23
to OWASP ZAP User Group
Hi Simon,

that would be awesome.

I've also tried to configure an additional proxy port via Options > Network > Local Servers/Proxies and specify that in the script like:

    var driver = selenium.getWebDriver(1, 'firefox', 'localhost', NEW_PORT_NR);

but without achieving a different result.

Highly appreciate your support.

Kris

Simon Bennetts

unread,
Jan 19, 2023, 7:25:18 AM1/19/23
to OWASP ZAP User Group
I have been looking into this.
I now have an authentication script which uses selenium which works for API type requests :D
The problem I'm having is that it doesnt work for the browser if that maintains session state.
This is a real problem if you need to explore the app using the ajax spider.
We think we've come up with a solution for that .. but I need to implement and test it :/
More details hopefully soon - I suspect this will deserve a blog post all on its own :)

Cheers,

Simon

Simon Bennetts

unread,
Jan 24, 2023, 9:52:38 AM1/24/23
to OWASP ZAP User Group
Have a look at this PR: https://github.com/zaproxy/community-scripts/pull/297

This was definitely more complicated than I expected!
I think the PR might take a while to review, but it works locally.
I'm also planning on writing a blog post to explain what it does (and why) in more detail.

Cheers,

Simon

Abhishek Jha

unread,
Jan 25, 2023, 6:34:42 AM1/25/23
to OWASP ZAP User Group
Eagerly waiting for the blog post.

Simon Bennetts

unread,
Jan 25, 2023, 11:51:57 AM1/25/23
to OWASP ZAP User Group
Its not been approved yet but it should help you understand the other PR better.
Feedback on either appreciated, here or on the relevant PR :)
Reply all
Reply to author
Forward
0 new messages