Articles in this section

Authentication Support for Zap Scans Follow

Avatar
DeepFactor Support
  • Updated

 

An authenticated Zap scan is vulnerability testing performed as an authenticated or “logged in” User. Deepfactor Zap Scans support four types of Authentication:

Deepfactor Intercepted Token

An intercepted Authentication header/token.

InterceptedToken.png

 

Custom Token Authorization

A custom HTTP Authorization token, or value, may be specified.

CustomToken.png

 

Form

Using an HTML form template, Deepfactor will pass the form and user credentials to the ZAP scan service. To use the Form, first, select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.

Form.png


Next, specify the URIs to include or exclude, click “Form” for Authentication Type and Logon URI. Enter a Username and Password and Form Data.

FormURI.png


Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.

Supporting OWASP documentation:: ZAP Form Authentication.
https://www.zaproxy.org/docs/api/#form-based-authentication

 

Script

Deepfactor can pass scripts and user credentials for ZAP scanning using custom JavaScript that performs authentication. To implement scans with a Script, first select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.

Script.png


Next, specify the URIs to include or exclude, check “Script” for Authentication Type and Logon URI. Enter a Username and Password and Log In and Out indicators.

Indicators.png

 

Finally, add the Authentication script and click Start Web Scan.

AuthenticationScript.png

 

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences

Supporting OWASP documentation: ZAP Script Authentication:
https://www.zaproxy.org/docs/api/#script-based-authentication

Sample Scripts
https://github.com/zaproxy/zap-api-docs/tree/master/source/scripts - Connect to preview
https://github.com/zaproxy/community-scripts/tree/master/authentication - Connect to preview

 

Deepfactor vs. ZAP Form/Script Authentication Differences

  • Only JavaScript scripts are currently supported.

  • Specify URI paths vs. URLs in field options.

  • Deepfactor will route scan requests through a proxy with a virtual application (web service) hostname. If a script requires a URL to properly scrape or construct a request from a Script parameter, then use the string literal below in any Script parameter value:
    {%df_virtual_host%}
  • Deepfactor Include and Exclude URI expressions for ZAP Context
  • Deepfactor will convert URI path expressions to ZAP URL expressions. The default included URI expression if none are supplied is:
    /.*

    Deepfactor will automatically prepend the resolved

    http://{%df_virtual_host%}

    to each URI expression if

    {%df_virtual_host%}

    is not already provided in the expression.

  • Deepfactor will also auto-include a LogInURI and LogInPageURI in the ZAP Context.

    Exclude URIs: a regular expression used to match and exclude paths from ZAP spider and scan.
    Deepfactor Exclude URI is a general purpose feature to prevent ZAP from spidering or scanning a given URI path on a web service. This can be utilized to prevent the scanner from performing a logout or to avoid endpoints that adversely effect scan performance.

    Unlike ZAP Exclude URL regular expressions, Deepfactor Exclude URI, or paths, must not include the protocol:/host:port in the expression or start with a line control character[1] unless replacing 'host' with {%df_virtual_host%}

    [1] '\A' or '^'

Supporting OWASP documentation: ZAP Scan General Steps https://www.zaproxy.org/docs/api/#general-steps

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.