Reusing context.storage_state() from playwright to authenticate ZAP

[David Rodriguez Siles]

Hi,

In order to access an app functionallity that is using single signon, I have to login to microsoft, and after that some SAML/Oauth negotiations are in place. I've managed to use context.storage_state() from playwright (alternative to selenium), in order to save all authentication/authorization cookies, so I'm able to restart a python script, and without the need to re-authenticate to microsoft or the Service Provider.

I was wondering if Zap could recognize this json file generated by playwright to load all the cookies and session storage present on that file/pre-authentication, and to inject them in the session without having to instruct zap on how to handle it. 

In some SAML implementations I have found issues with broken redirects trying ZAP to correctly do the SSO, mostly because the redirection implies executing javascript to do some kind of CSRF check.

What I have found different from Burp, is that in Burp, you can tell him to Bypass urls that are related with SAML authentication (this could be also a useful functionallity to add)

Cheers

[Simon Bennetts]

Hiya,

No, ZAP does not recognise that sort of json file.

But it does sound like an interesting option for us to explore..

For the supported options see https://www.zaproxy.org/docs/authentication/

Cheers,

Simon