ZAP Authentication with SSO using Authentication Script
136 views
Skip to first unread message
Phùng Quang Trường
Sep 26, 2023, 11:42:02 PM9/26/23
to ZAP User Group
Our company use many API that must be authenticated via SSO. The authentication flow should be:
1. User Login to SSO page of WEB app
2. User got cookies stored
1. User Login to SSO page of WEB app
2. User got cookies stored
3. Inside WEB app there are some API that use Cookies for authentication.
We want to scan the API separately from the Web App, there we found that we can use Selenium to guide browser each steps to login and get cookies. But we are not sure that we can write Selenium script inside Authentication Script. Do you guys have any guideline for this part?
Ruxun Wagn
Sep 27, 2023, 12:27:27 AM9/27/23
to ZAP User Group
I hava the same question
Simon Bennetts
Sep 27, 2023, 4:21:51 AM9/27/23
to ZAP User Group
Your best option would be to use Browser Based Authentication and auto-detection, if it works.
And if it doesnt then we want to know the details :)
Cheers,
Simon
Phùng Quang Trường
Sep 27, 2023, 7:00:22 AM9/27/23
to ZAP User Group
We used Automation Framework to automate API scanning. For other normal API, we create folder for each API (auth.js for login normal POST, sender.js to set API-Key, request.har to import history request, and template.yaml) to automate scanning process. For those login with SSO request, if we use
Browser Based Authentication and auto-detection, does it work on automation framework ?
Simon Bennetts
Sep 27, 2023, 7:07:13 AM9/27/23
to ZAP User Group
Reply all
Reply to author
Forward
0 new messages