Authentication Support for Zap Scans

An authenticated Zap scan is vulnerability testing performed as an authenticated or “logged in” User. Deepfactor Zap Scans support four types of Authentication:

Deepfactor Intercepted Token

An intercepted Authentication header/token.

Deepfactor_Intercepted_Token.png

Custom Token Authorization

A custom HTTP Authorization token, or value, may be specified.

Custom_Token_Authorization.png

Form

Using an HTML form template, Deepfactor will pass the form and user credentials to the ZAP scan service.

  • To use the Form, select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.
  • Specify the URIs to include or exclude, and select “Form” for Authentication Type and Logon URI.
  • Enter a Username and Password and Form Data.

Form.png

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.

Supporting OWASP documentation:: ZAP Form Authentication.
https://www.zaproxy.org/docs/api/#form-based-authentication

Script

Deepfactor can pass scripts and user credentials for ZAP scanning using custom JavaScript that performs authentication.

  • To implement scans with a Script, first select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.

Script1.png

  • Next, specify the URIs to include or exclude, and select “Script” for Authentication Type and Logon URI.
  • Enter a Username and Password and Log In and Out indicators and click Start Scan.

Script2.png

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences

Supporting OWASP documentation: ZAP Script Authentication:
https://www.zaproxy.org/docs/api/#script-based-authentication

Sample Scripts
https://github.com/zaproxy/zap-api-docs/tree/master/source/scripts - Connect to preview
https://github.com/zaproxy/community-scripts/tree/master/authentication - Connect to preview

Deepfactor vs. ZAP Form/Script Authentication Differences

  • Only JavaScript scripts are currently supported.

  • Specify URI paths vs. URLs in field options.

  • Deepfactor will route scan requests through a proxy with a virtual application (web service) hostname. If a script requires a URL to properly scrape or construct a request from a Script parameter, then use the string literal below in any Script parameter value:
    {%df_virtual_host%}
  • Deepfactor Include and Exclude URI expressions for ZAP Context
  • Deepfactor will convert URI path expressions to ZAP URL expressions. The default included URI expression if none are supplied is:
    /.*

    Deepfactor will automatically prepend the resolved

    http://{%df_virtual_host%}

    to each URI expression if

    {%df_virtual_host%}

    is not already provided in the expression.

  • Deepfactor will also auto-include a LogInURI and LogInPageURI in the ZAP Context.
    Exclude URIs: a regular expression used to match and exclude paths from the ZAP spider and scan.
    Deepfactor Exclude URI is a general-purpose feature to prevent ZAP from spidering or scanning a given URI path on a web service. This can be utilized to prevent the scanner from performing a logout or to avoid endpoints that adversely affect scan performance.
    Unlike ZAP Exclude URL regular expressions, Deepfactor Exclude URI, or paths, must not include the protocol:/host:port in the expression or start with a line control character[1] unless replacing 'host' with {%df_virtual_host%}

    [1] '\A' or '^'

Supporting OWASP documentation: ZAP Scan General Steps https://www.zaproxy.org/docs/api/#general-steps

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.