1. DeepFactor
  2. DAST Scans

Authentication Support for Zap Scans

Avatar
Deepfactor Support

An authenticated Zap scan is vulnerability testing performed as an authenticated or “logged in” User. Deepfactor Zap Scans support four types of Authentication:

Deepfactor Intercepted Token

An intercepted Authentication header/token.

Deepfactor_Intercepted_Token.png

Custom Token Authorization

A custom HTTP Authorization token, or value, may be specified.

Custom_Token_Authorization.png

Form

Using an HTML form template, Deepfactor will pass the form and user credentials to the ZAP scan service.

  • To use the Form, select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.
  • Specify the URIs to include or exclude, and select “Form” for Authentication Type and Logon URI.
  • Enter a Username and Password and Form Data.

Form.png

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.

Supporting OWASP documentation:: ZAP Form Authentication.
https://www.zaproxy.org/docs/api/#form-based-authentication

Script

Deepfactor can pass scripts and user credentials for ZAP scanning using custom JavaScript that performs authentication.

  • To implement scans with a Script, first select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.

Script1.png

  • Next, specify the URIs to include or exclude, and select “Script” for Authentication Type and Logon URI.
  • Enter a Username and Password and Log In and Out indicators and click Start Scan.

Script2.png

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences

Supporting OWASP documentation: ZAP Script Authentication:
https://www.zaproxy.org/docs/api/#script-based-authentication

Sample Scripts
https://github.com/zaproxy/zap-api-docs/tree/master/source/scripts - Connect to preview
https://github.com/zaproxy/community-scripts/tree/master/authentication - Connect to preview

Deepfactor vs. ZAP Form/Script Authentication Differences

  • Only JavaScript scripts are currently supported.

  • Specify URI paths vs. URLs in field options.

  • Deepfactor will route scan requests through a proxy with a virtual application (web service) hostname. If a script requires a URL to properly scrape or construct a request from a Script parameter, then use the string literal below in any Script parameter value:
    {%df_virtual_host%}
  • Deepfactor Include and Exclude URI expressions for ZAP Context
  • Deepfactor will convert URI path expressions to ZAP URL expressions. The default included URI expression if none are supplied is:
    /.*

    Deepfactor will automatically prepend the resolved

    http://{%df_virtual_host%}

    to each URI expression if

    {%df_virtual_host%}

    is not already provided in the expression.

  • Deepfactor will also auto-include a LogInURI and LogInPageURI in the ZAP Context.
    Exclude URIs: a regular expression used to match and exclude paths from the ZAP spider and scan.
    Deepfactor Exclude URI is a general-purpose feature to prevent ZAP from spidering or scanning a given URI path on a web service. This can be utilized to prevent the scanner from performing a logout or to avoid endpoints that adversely affect scan performance.
    Unlike ZAP Exclude URL regular expressions, Deepfactor Exclude URI, or paths, must not include the protocol:/host:port in the expression or start with a line control character[1] unless replacing 'host' with {%df_virtual_host%}

    [1] '\A' or '^'

Supporting OWASP documentation: ZAP Scan General Steps https://www.zaproxy.org/docs/api/#general-steps

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.