ZAP OAuth 2 testing with authentication
3,300 views
Skip to first unread message
Chris99
Jul 6, 2017, 7:23:04 AM7/6/17
to OWASP ZAP User Group
Hello,
I have recently started using ZAP 2.6 and am trying to use it to test a .NET Web API that uses OAuth 2 bearer tokens for authentication. Having posted a question on Stack Overflow Simon Bennetts suggested I ask here instead.
I am attempting to run a series of tests that logon using a given user, and then run against the other Web API end points using the returned access token in their request headers. I have read Running ZAP against a REST API with Oauth but have been able to get it working.
I have set up the two scripts as suggested, and then configured by context's session properties. My initial questions are:
I have recently started using ZAP 2.6 and am trying to use it to test a .NET Web API that uses OAuth 2 bearer tokens for authentication. Having posted a question on Stack Overflow Simon Bennetts suggested I ask here instead.
I am attempting to run a series of tests that logon using a given user, and then run against the other Web API end points using the returned access token in their request headers. I have read Running ZAP against a REST API with Oauth but have been able to get it working.
I have set up the two scripts as suggested, and then configured by context's session properties. My initial questions are:
- What script engine should I select, as I went with ECMAScript it isn't liking importClass? (I am taking the fact that I get console errors as a good sign that it is running the authentication script)
- In the Authentication section I have configured the authentication script and login API URL. For the Logged in regex I have just entered the string "access_token" which is contained in my JSON response.Will this regex match in my response or do I need some additional syntax?
- I have configured a user, but I want to have a blank password for my tests, and the Add User dialog insists password is mandatory. Is there a way around this?
Thanks in advance for any assistance,
Chris
Chris99
Jul 7, 2017, 7:53:18 AM7/7/17
to OWASP ZAP User Group
Okay I have made some progress based on the answer here Running ZAP against a REST API with Oauth and can now see that my Authentication Script is successfully logging in and getting a new token. However the HTTP Sender script doesn't seem to be using it.
In my script I have had to blank out the password as my test user doesn't have one so that has currently sorted 3) in original question but it still seems wrong that this is mandatory.
Without looking at the referenced answer I think I can safely say I would never have made this much progress, so any help would be greatly appreciated.
Chris
In my script I have had to blank out the password as my test user doesn't have one so that has currently sorted 3) in original question but it still seems wrong that this is mandatory.
Without looking at the referenced answer I think I can safely say I would never have made this much progress, so any help would be greatly appreciated.
Chris
Chris99
Jul 10, 2017, 5:00:48 AM7/10/17
to OWASP ZAP User Group
I have made some more progress since my last post, but would still appreciate any assistance if possible.
The reason for my HTTP Sender script not firing was that it had disabled itself, so that was easily remedied by re-enabling it.
I've now got a couple of questions regarding my context's Authentication settings. The regex logged in message isn't appropriate for an OAuth 2 JSON API, as what tells you you are logged in is having an access token that you can use without a generating a 401:
The reason for my HTTP Sender script not firing was that it had disabled itself, so that was easily remedied by re-enabling it.
I've now got a couple of questions regarding my context's Authentication settings. The regex logged in message isn't appropriate for an OAuth 2 JSON API, as what tells you you are logged in is having an access token that you can use without a generating a 401:
- Should I be configuring the regex for script based authentication?
- If I don't set something in the regex then my Authentication script never fires. Is this expected behaviour?
- My running assumption is that I have to configure something in the regex and handle whether or not to authenticate in the script, wiping out my stored token if I receive a 401.
Cheers,
Chris
thc...@gmail.com
Jul 10, 2017, 5:14:25 AM7/10/17
to zaprox...@googlegroups.com
Hi.
> 1. Should I be configuring the regex for script based authentication?
Yes, at least one of the logged in/out indicators must be configured,
otherwise ZAP assumes that the message is authenticated. [1]
> 2. If I don't set something in the regex then my Authentication script
> 3. My running assumption is that I have to configure something in the
indicator. If the script is already generating a token each time is
called you don't need to change it, ZAP will only call it if a new token
is needed.
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
Best regards.
On 10/07/17 10:00, 'Chris99' via OWASP ZAP User Group wrote:
> I have made some more progress since my last post, but would still
> appreciate any assistance if possible.
>
> The reason for my HTTP Sender script not firing was that it had disabled
> itself, so that was easily remedied by re-enabling it.
>
> I've now got a couple of questions regarding my context's Authentication
> settings. The regex logged in message isn't appropriate for an OAuth 2 JSON
> API, as what tells you you are logged in is having an access token that you
> can use without a generating a 401:
>
> 1. Should I be configuring the regex for script based authentication?
> 2. If I don't set something in the regex then my Authentication script
> 1. Should I be configuring the regex for script based authentication?
Yes, at least one of the logged in/out indicators must be configured,
otherwise ZAP assumes that the message is authenticated. [1]
> 2. If I don't set something in the regex then my Authentication script
> never fires. Is this expected behaviour?
Yes, per above behaviour.
> 3. My running assumption is that I have to configure something in the
> regex and handle whether or not to authenticate in the script, wiping out
> my stored token if I receive a 401.
Correct, if you get a 401 always you can use that as logged out
> my stored token if I receive a 401.
indicator. If the script is already generating a token each time is
called you don't need to change it, ZAP will only call it if a new token
is needed.
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
Best regards.
On 10/07/17 10:00, 'Chris99' via OWASP ZAP User Group wrote:
> I have made some more progress since my last post, but would still
> appreciate any assistance if possible.
>
> The reason for my HTTP Sender script not firing was that it had disabled
> itself, so that was easily remedied by re-enabling it.
>
> I've now got a couple of questions regarding my context's Authentication
> settings. The regex logged in message isn't appropriate for an OAuth 2 JSON
> API, as what tells you you are logged in is having an access token that you
> can use without a generating a 401:
>
> 2. If I don't set something in the regex then my Authentication script
> never fires. Is this expected behaviour?
> 3. My running assumption is that I have to configure something in the
Chris99
Jul 13, 2017, 4:59:54 AM7/13/17
to OWASP ZAP User Group
Hi,
I have read https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication and now seen where it says at least one must be configured.
I have changed to using the logged out indicator of 401, and tweaked the scripts so that a 401 result clears out my cached token value.
The tests seem to be running more smoothly. Thanks for your help.
Chris
I have read https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication and now seen where it says at least one must be configured.
I have changed to using the logged out indicator of 401, and tweaked the scripts so that a 401 result clears out my cached token value.
The tests seem to be running more smoothly. Thanks for your help.
Chris
Reply all
Reply to author
Forward
0 new messages