Authenticated Scan with OAuth

[Soham Shah]

Hi,

I am trying to run an authenticated scan. The website returns an access token after the first time that I login to the website using an username and password. The access token is then required for all other requests made afterwards. I was able to setup the initial authentication using the login credentials (username and password) but when I ran an active scan, all the requests were coming back as 401-unauthorized since requests weren't getting the auth token. How do I setup authenticated scans for the described flow in the Desktop GUI and python script. Also, is there a way to deal with expired access tokens if the scan takes longer than the access token lasts or will ZAP handle that?

I've been struggling with this issue for some time, please advise!

Thank You

[psiinon]

Try using the new Authentication Tester Dialog: https://www.zaproxy.org/blog/2023-05-23-authentication-tester/

If that works then your life will be so much easier .. and if it doesnt then it should collect enought sanitized diagnostics for us to fix it for you.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d8417dc3-95ff-4c36-986c-7b75b2cd32aen%40googlegroups.com.

--

OWASP ZAP Project leader

[Soham Shah]

I used the new Authentication Tester Dialog and it worked and was able to pick up and do the initial authentication on the login URL I provided. However, when I ran an active scan, each request was coming back as unauthorized because I'm assuming the request weren't being sent with the access token. Is there a way to set it up in the GUI such that once an access token is retrieved, all subsequent scans run with that access token?

[psiinon]

How did you run the active scan?

Which options did you use?

If you run an authenticated ZAP scan then yes, ZAP will reuse the relevant tokens, and get them regenerated if they stop working.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a007a403-8e5b-4ebf-81f6-af753090b618n%40googlegroups.com.

[Soham Shah]

I just right-clicked and ran an active scan, with the basic parameters and config options already set. What options do I need to change to run an authenticated ZAP active scan?

[psiinon]

You need to have configured the context - either as it was left after the Authentication Tester has run, or with the Authentication Method set to Browser Based, the rest set to Auto Detect and the user creds set.

Then when you run the Active Scan then you need to select the context and select the user.

Is that what you have done?

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/71744951-c416-4275-af3b-ae0ce18bddb6n%40googlegroups.com.

[Soham Shah]

Yes I have set the Authentication Method set to Browser Based and configured a context and the user and then when I ran the active scan, I selected the context and user to run. However, request are coming back as 401. 

Also, on a side note, does the python SDK support Browser Based Authentication, because the end goal for me is to transfer this authenticated active scanning workflow to a Python script. Is there another way we need t configure OAuth based authentication using the python library?

[psiinon]

OK, debug time...

Start a new ZAP session and use the Authentication Tester dialog again.

Have a look at the context to see which verification URL ZAP has identified.

Then look for the last request to that URL in the History tab.

Does it look like a reasonable URL to use, and does it look like the response indicates it was authenticated?

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/3a08d02e-1c48-44eb-ba87-83677bf05d9dn%40googlegroups.com.

[Soham Shah]

Okay, let me give it a go! Thanks!

How do we go about transferring this work into Python - does it support browser based auth?