Okta token Authentication scan automation help

[naya...@gmail.com]

Hi guys,

Ran into a small road block. Any help would be appreciated.

1. What I am trying to achieve :

I have a web application that uses Okta for sign in. 

Once a user enters their Okta creds, Okta generates a session token which is sent to my application that responds with the the application session token in response body.

I want to extract this token and ask ZAP to use this to run authenticated scans.

Now this session token needs to be sent as a request header.

2. What I currently have :

I wrote an ECMA script to replicate the Okta login flow. This ECMA script is being used as an Authentication script for my context.

I am able to make a call to the application with the Okta token and I get a valid application session token in response body.

So now I have the session token that ZAP needs to send (as auth header) to run authenticated scans. 

3. Road block :

Now I am stuck coz I don't know how I need to ask ZAP to use that session token to run authenticated scans.

Do I need to configure it in the context?

How do I pass the token from my ECMA script to the context? like what needs to be returned?

Any follow up questions are welcome.

[Issac Holguin]

I had the same issue a while back, handling anything okta related is really really complex, replicating the flow for session token must have been a research project, I know it was for me.

What I ended up doing was using writing selenium standalone script to control the browser and log in with my test user through Okta. After I logged in, I would set the last authentication session as my Active Session. Once you've done that, you can basically spider the application as an authenticated user without having to manually inject any header information yourself. This saves a headache in case Okta decides to change anything on their end with their authentication flow, you don't have to go adjust tweaks to your script that gets that session token.

Hope that helps, Okta and ZAP integration is really a headache...

[naya...@gmail.com]

Hey thanks for the reply!

Thats a really good solution but I already have the authentication script ready and am able to extract the session token as well. But the selenium solution won't work for me as my implementation is a tad bit different. I already have a recorded session with the endpoints to scan in it. I just have to create a context, include the endpoints in context, add the authentication script and run an active scan on the context. Don't want to spider the website and scan all endpoints.

[Issac Holguin]

Got it, to help answer #1, I would try to use the HttpSender, and add it to every outgoing request if it matches the URL you're looking for.

[Raj Dev]

hi

[naya...@gmail.com]

Any simpler solution? I know configuring HTTP Authentication Session Management in the Session management section of the context uses auth header for authentication and is already fully configured. So I am not too worried about auth via header (fingers crossed). The only part I am unable to find in docs/understand is what does my ECMA script need to give this context for it to use the session token? For instance in case of ZEST script you just record the login flow and use it as an authentication script and the context somehow knows what token to use as the session token. Similarly I want to configure my script to pass the parameters necessary for the context to recognize the session token. 

[naya...@gmail.com]

Hi guys, 

Does anyone know how I could configure my script or context to use the token to perform authenticated scans? I could provide my script if that helps.

Just to reiterate, my authentication script is able to fetch a valid token. Just need to know a way to make my context use that token in active scans.

Thanks in advance!

[Simon Bennetts]

For a really simple solution you can just put your session token in an env var called ZAP_AUTH_HEADER_VALUE before starting ZAP :)

More details here: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

You do not need to define a context or anything else like that if you use envvars in this way.

Cheers,

Simon

[naya...@gmail.com]

oh that's pretty cool. But my session will get deactivated more than once in the middle of the scan and that value would have to be reassigned. How can I accomplish that without assigning an authentication script to the context and setting a logged out indicator?

[Simon Bennetts]

Thats the problem with managing your own tokens :)

The envvar option is the easiest but cant cope if you need to change the token.

You can write an httpsender script which injects the token, detects it is invalid and regenerates it, or you can configure ZAP to understand your apps authentication and session handling and then ZAP will handle it all for you.

If you can think of any other options we could provide then please let us know :)

Cheers,

Simon

[naya...@gmail.com]

Hi Simon, 

I like the idea of configuring ZAP and letting it handle the session. 

One quick question and I think this would solve my problem, hopefully! 

So when using ZEST script for authentication, we record the authentication flow which is nothing but a set of requests in the correct order. 

Now I add that ZEST script as an authentication script to a context and it automatically executes that script every time it encounters an invalid session.

Now my question is, what exactly is the ZESt script giving/returning to the context for it to know the valid session token? Is it returning the entire response to the final request, or just the token? 

Coz basically what I did is replicate the ZEST login flow in an ECMA script for the ease of using and passing unique variables to subsequent requests in the Okta Flow (for eg: Okta kay, nonce etc).

[naya...@gmail.com]

Hi, any suggestions on this?

[Angeline Kanimalar]

Hi, I am in the same boat and new bee to OWASP ZAP.  I am using java web application with okta integration. I would like use to scan my application with ZAP. But i am not getting okta login page. I am using authorization flow to get okta login page in the application. I am not sure how do it with ecma script. Please help.

On Wednesday, July 28, 2021 at 10:56:59 AM UTC-7 naya...@gmail.com wrote:

[Simon Bennetts]

Pro tip - if you can test your app without using SSO like Okta then do so - see https://www.zaproxy.org/docs/authentication/make-your-life-easier/

If you need to handle SSO then right now you're going to have to put some work in :/

You will need to understand every part of the authentication flow and handle it in scripts that you write.

There are some example scripts in https://github.com/zaproxy/community-scripts/tree/main/authentication

If anyone else has any advice on handling Okta then please share it - its not something I've needed to do.

Cheers,

Simon

[Angeline Kanimalar]

Thanks Simon for the response. My application is navigating to okta login page as expected but i am not seeing it fully.

I saw that, I am getting the below error and not sure if this is the problem why i am not seeing login form in okta login page.

Access to script at 'https://op3static.oktacdn.com/assets/js/mvc/loginpage/initLoginPage.pack.103f0a08c8f9401f5a348e6d81b34c6a.js' from origin 'https://xxx.oktapreview.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I tried to setup as attached in Replacer option. but it didn't solve the issue. Can you help.