Authentication on Docker

[Nicollas Teixeira]

I would like to know if there is any way to authenticate like using authentication tester on GUI on docker. I need to automate authentication using docker and i cant find a way

[psiinon]

I think the authentication tester should work fine in docker, e.g. using Webswing: https://www.zaproxy.org/docs/docker/webswing/

Are you having problems with it?

If so what problems?

Cheers,

Simon

On Fri, Aug 11, 2023 at 6:08 PM Nicollas Teixeira <nicollas...@gmail.com> wrote:

I would like to know if there is any way to authenticate like using authentication tester on GUI on docker. I need to automate authentication using docker and i cant find a way

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/5c296929-c741-4e6f-80eb-c1444de22541n%40googlegroups.com.

--

ZAP Project leader

[Rian Ramos]

Do you have an example similar to this one?  Extended the ZAP Docker images with a webhook for authentication, For example:
 

docker run --rm -v $(pwd):/zap/wrk/:rw --net zapnet -t ictu/zap2docker-weekly zap-full-scan.py \

  -t http://$URL \

  -r $NAME-$DATE.html \

  -z "auth.loginurl=http://$URL/login \

      auth.username="$USERNAME" \

      auth.password="$PASSWORD" \

      auth.auto=1"  

[Nicollas Teixeira]

Im trying to execute a scan with command line to run as step in my pipeline. I need the authentication step to access the authorized pages

[psiinon]

If the ictu option works for you then you can use that.

In order to use our images you would need to copy their script into the image you use.

For more details on the authentication options ZAP supports see https://www.zaproxy.org/docs/authentication/

Authetication is hard. If a simple solutions works for you then great, but if it doesnt then you'll have to delve into the details.

I recommend trying out the Authentication Tester in the ZAP GUI: https://www.zaproxy.org/blog/2023-05-23-authentication-tester/

If that works then your life will be much easier.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/92c7896f-4de9-4a47-9a60-c3023f27c17cn%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

The authentication tester works but i need to automate my scans with credentials and i need to do that using owasp zap docker image, i want to know if there is any parameters to use to authenticate passing like the auth url, user and password and then when the scan start it will authenticate based in my auth url.

[psiinon]

Understood.

The Authentication Tester is just for testing. Now we know that works you can use auto detection in your automated scan.

You can either use the Automation Framework or if you want to keep using the packaged scan then pass in a context using the "-n" parameter.

You should create this context in the ZAP desktop and configure it to use:

• Browser based authentication
• The right login URL
• Auto-detect verification strategy
• Auto-detect session management
• Valid user credentials
  

All as per https://www.zaproxy.org/docs/authentication/auto-detection/

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/0ec7e848-4826-4bb0-b453-9f736195974en%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

okay, i will try to do this in the zap interface and export the context to automate. Using browser-based authentication i cant find any field to input my credentials... only login url, will zap use the user created in users tab?

[psiinon]

Have you looked at https://www.zaproxy.org/docs/authentication/auto-detection/#auto-detection-in-the-desktop ? :)

Please let us know if we can make that any clearer...

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4bd462dc-9b03-49d5-a4f3-e1ef1b34d512n%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

i was trying to execute in owasp zap gui, im kinda new on zap... sorry for all these questions... this automation framework, how can i execute it?

[psiinon]

New to ZAP and straight into the deep end with authentication ;)

The Automation Framework is described in https://www.zaproxy.org/docs/automate/automation-framework/

You may have noticed we try to answer questions by pointing to the docs ;)

We do this very deliberately - we want to get feedback if the docs are not clear as they are the most scalable way of us answering questions.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/7d089a42-c2df-4d85-a78d-6c752db157cbn%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

i tried with this sample on doc:

---
env:
  contexts:
  - name: "simple-json"
    urls:
    - "http://localhost:9091/auth/simple-json"
    includePaths:
    - "http://localhost:9091/auth/simple-json.*"
    excludePaths: []
    authentication:
      method: "browser"
      parameters:
        loginPageUrl: "http://localhost:9091/auth/simple-json/"
        loginPageWait: 5
        browserId: "firefox-headless"
      verification:
        method: "autodetect"
    sessionManagement:
      method: "autodetect"
      parameters: {}
    users:
    - name: "test"
      credentials:
        username: "te...@test.com"
        password: "password123"

but it didnt work, i replaced with my information, it scanned but did not find the url post auth

[psiinon]

We cant diagnose authentication problems as we have no access to your app.

But we can try to help you diagnose them :)

If you can use the ZAP desktop them import the AF plan into the Automation tab and run it from there.

If you cant do that then see https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/9fa12b94-d54c-4343-acc1-989afd52a9e7n%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

how can i  import the yaml file to desktop version? would it be the "load add on file" option?

[psiinon]

No. Select the Automation tab and choose the "Load plan..." button.

If the Automation tab is not visible click on the green plus at the end of the tabs in the lower window.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/0a36600f-b89e-4958-9b9a-7f96417f9506n%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

im following this strutcture: https://www.zaproxy.org/docs/authentication/auto-detection/#auto-detection-in-the-automation-framework

[psiinon]

Theres a mistake in your yaml then :)

The zap.log file may help: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6caa2d57-9b43-4e2d-8e7c-915cf109e240n%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

[psiinon]

An image of part of your file doesnt really help I'm afraid.

Have you looked in the zap.log file yet?

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/491bfac5-0543-4438-9818-85372d29ec62n%40googlegroups.com.

--

ZAP Project leader

[Nicollas Teixeira]

just this null exception

[thc...@gmail.com]

It seems the automation plan doesn't have any jobs? (e.g. spider)
https://www.zaproxy.org/docs/desktop/addons/automation-framework/#jobs
https://www.zaproxy.org/docs/desktop/addons/spider/automation/

You'll have to provide at least one job otherwise the plan will not do
any work.

Best regards.

>>>>>>>>>>>>>> - Browser based authentication
>>>>>>>>>>>>>> - The right login URL
>>>>>>>>>>>>>> - Auto-detect verification strategy
>>>>>>>>>>>>>> - Auto-detect session management
>>>>>>>>>>>>>> - Valid user credentials

>>>>>>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/5c296929-c741-4e6f-80eb-c1444de22541n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>>>> from it, send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/92c7896f-4de9-4a47-9a60-c3023f27c17cn%40googlegroups.com

>>>>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/92c7896f-4de9-4a47-9a60-c3023f27c17cn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from
>>>>>>>>>>>>>>> it, send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To view this discussion on the web visit

>>>>>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/0ec7e848-4826-4bb0-b453-9f736195974en%40googlegroups.com
>>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/0ec7e848-4826-4bb0-b453-9f736195974en%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from
>>>>>>>>>>>>> it, send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>>>
>>>>>>>>>>>> To view this discussion on the web visit

>>>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/4bd462dc-9b03-49d5-a4f3-e1ef1b34d512n%40googlegroups.com
>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/4bd462dc-9b03-49d5-a4f3-e1ef1b34d512n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>> .
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>
>>>>>>>>>> To view this discussion on the web visit

>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/7d089a42-c2df-4d85-a78d-6c752db157cbn%40googlegroups.com
>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/7d089a42-c2df-4d85-a78d-6c752db157cbn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>> .
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "ZAP User Group" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>
>>>>>>>> To view this discussion on the web visit

>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/9fa12b94-d54c-4343-acc1-989afd52a9e7n%40googlegroups.com
>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/9fa12b94-d54c-4343-acc1-989afd52a9e7n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>>>
>>>>>>> --
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ZAP User Group" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>
>>>>>> To view this discussion on the web visit

>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/0a36600f-b89e-4958-9b9a-7f96417f9506n%40googlegroups.com
>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/0a36600f-b89e-4958-9b9a-7f96417f9506n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ZAP User Group" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to zaproxy-user...@googlegroups.com.
>>>>>
>>>> To view this discussion on the web visit

>>>>> https://groups.google.com/d/msgid/zaproxy-users/6caa2d57-9b43-4e2d-8e7c-915cf109e240n%40googlegroups.com
>>>>> <https://groups.google.com/d/msgid/zaproxy-users/6caa2d57-9b43-4e2d-8e7c-915cf109e240n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>> --
>>>> ZAP <https://www.zaproxy.org/> Project leader

>>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "ZAP User Group" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to zaproxy-user...@googlegroups.com.
>>>
>> To view this discussion on the web visit

>>> https://groups.google.com/d/msgid/zaproxy-users/491bfac5-0543-4438-9818-85372d29ec62n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/zaproxy-users/491bfac5-0543-4438-9818-85372d29ec62n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> ZAP <https://www.zaproxy.org/> Project leader
>>
>