An authenticated Zap scan is vulnerability testing performed as an authenticated or “logged in” User. Deepfactor Zap Scans support four types of Authentication:
Deepfactor Intercepted Token
An intercepted Authentication header/token.
Custom Token Authorization
A custom HTTP Authorization token, or value, may be specified.
Form
Using an HTML form template, Deepfactor will pass the form and user credentials to the ZAP scan service. To use the Form, first, select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.
Next, specify the URIs to include or exclude, click “Form” for Authentication Type and Logon URI. Enter a Username and Password and Form Data.
Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.
Supporting OWASP documentation:: ZAP Form Authentication.
https://www.zaproxy.org/docs/api/#form-based-authentication
Script
Deepfactor can pass scripts and user credentials for ZAP scanning using custom JavaScript that performs authentication. To implement scans with a Script, first select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.
Next, specify the URIs to include or exclude, check “Script” for Authentication Type and Logon URI. Enter a Username and Password and Log In and Out indicators.
Finally, add the Authentication script and click Start Web Scan.
Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.
Supporting OWASP documentation: ZAP Script Authentication:
https://www.zaproxy.org/docs/api/#script-based-authentication
Sample Scriptshttps://github.com/zaproxy/zap-api-docs/tree/master/source/scripts - Connect to preview
https://github.com/zaproxy/community-scripts/tree/master/authentication - Connect to preview
Deepfactor vs. ZAP Form/Script Authentication Differences
-
Only JavaScript scripts are currently supported.
-
Specify URI paths vs. URLs in field options.
- Deepfactor will route scan requests through a proxy with a virtual application (web service) hostname. If a script requires a URL to properly scrape or construct a request from a Script parameter, then use the string literal below in any Script parameter value:
{%df_virtual_host%}
- Deepfactor Include and Exclude URI expressions for ZAP Context
- Deepfactor will convert URI path expressions to ZAP URL expressions. The default included URI expression if none are supplied is:
/.*
Deepfactor will automatically prepend the resolved
http://{%df_virtual_host%}
to each URI expression if
{%df_virtual_host%}
is not already provided in the expression.
- Deepfactor will also auto-include a LogInURI and LogInPageURI in the ZAP Context.
Exclude URIs: a regular expression used to match and exclude paths from ZAP spider and scan.
Deepfactor Exclude URI is a general purpose feature to prevent ZAP from spidering or scanning a given URI path on a web service. This can be utilized to prevent the scanner from performing a logout or to avoid endpoints that adversely effect scan performance.
Unlike ZAP Exclude URL regular expressions, Deepfactor Exclude URI, or paths, must not include the protocol:/host:port in the expression or start with a line control character[1] unless replacing 'host' with{%df_virtual_host%}
.
[1]'\A' or '^'
Supporting OWASP documentation: ZAP Scan General Steps https://www.zaproxy.org/docs/api/#general-steps
Comments
0 comments
Please sign in to leave a comment.