I am trying to use zap api scan in zap docker image. APIs are OIDC authenticated. Authentication is performed using "Graal.js" script and access token is set as global var using org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("accessToken",accessToken);
Access token is set as authorization header value using a httpSender script. In zap desktop, it is done using "Oracle Nashorn" engine. But in zap docker "Oracle Nashorn" engine is not available.
I have tried using Graal.js engine itself, but it fails with multi threading not allowed for JS engine.
What are the other ways to set the header ?
Why not just use the authentication env vars supported natively by ZAP?
ZAP_AUTH_HEADER_VALUE - if this is defined then its value will be added as a header to all of the requests
ZAP_AUTH_HEADER - if this is defined then its value will be used as the header name - if it is not defined then the standard Authorization header will be used
ZAP_AUTH_HEADER_SITE - if this is defined then the header will only be included in sites whose name includes its value
All documented on https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
Related
I have deployed a Google Cloud Function which requires authentication to be executed.
Then, I've scheduled this function using Google Cloud Scheduler, and setting authentication through OIDC token, which basically is an authentication header in the HTTP POST scheduled.
Now, I would like to provide some custom parameter to the Cloud Function as well, using the proper header in Cloud Scheduler, but seems not to work.
I'm afraid that is caused by what stated here, that is, authentication headers are overwritten.
Anyone faced the same issue?
How could be solved?
Thanks
You can use the Headers in Cloud Scheduler to add the headers that you want, except the Authorization header that is set automatically when you activate the OIDC auth.
You can also put some parameter in the body if you want, all depends where you would like to read the data (header or body.)
EDIT 1
I have a Cloud Run "logger" to simply logs the headers/body of requests. And it worked during my tests I have 2 custom headers + the authorization header automatically set. Have a look:
I use Nextcloud as a normal user to store and share files.
I decided to use it as a backend for a web application I am developing so that I can store the files in Nextcloud while the frontend is done by me.
I spent some hours on the API docs
https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/index.html
and, with some disappointment, unless I have not made a mistake, I realized that the only API that can be used from outside Nextcloud is the WebDav API.
This is a minimalistic API that allows doing basic things such as uploading a file by passing the full path like with this GET statement (authenticated by basic auth passing username and password in the headers:
GET https://nextcloud.example.com/remote.php/dav/files/username/FolderOne/SubFolderTwo/HelloWorld.txt
This will download the file located in /FolderOne/SubFolderTwo/HelloWorld.txt
with a PUT request, it is possible to overwrite the file by passing the file content in the raw body request
This is very effective but minimalistic.
I was expecting to have a full REST API to access more properties and perform complex operations.
Could you please tell me if I missed some important information?
There is the OCS API but it works only from inside Nextcloud.
Thanks.
A full REST API is avaiable - https://docs.nextcloud.com/server/22/developer_manual/client_apis/OCS/ocs-api-overview.html
Create a Share - https://docs.nextcloud.com/server/latest/developer_manual/client_apis/OCS/ocs-share-api.html
The OwnCloud documentation also offers more examples
https://doc.owncloud.com/server/10.8/developer_manual/core/apis/ocs-share-api.html
You can register an App id and use that to login or passthru a username and password in the authentication header.
I am trying to authenticate to my API to perform some passive/active scan using OWASP ZAP.
I don't have any Swagger or OpenAPI specification, but I have some HTTP tests (Javascript) that might help. However, I can not figure out to authenticate to my API with ZAP.
Ideally I would like to automate the scan given some specs (in whatever format ZAP understands, but not automatic tools like OpenAPI Swagger), a URL entry-point and username/password, but I am stuck with more fundamental steps like the authentication.
I've been following this guide: https://www.zaproxy.org/docs/desktop/ui/dialogs/session/context-auth/
I added a username/password pair in Session > Contexts > Default Context > Users:
I then provided the details about the authentication API endpoint in Sessio > Context > Default Context > Authentication:
I made sure the button is pushed for "Forced User Mode enabled" (see the red circle in the previous screenshot on the "user details".
Then I right clicked on my "Default Context" (I created this with this name, nothing to do with ZAP terminology, it's just a ZAP Context) and clicked on "Active Scan".
Then I clicked on the button "Start Scan" from the pop-up window after the right click.
Then nothing happens. I don't see anything moving or logging or blinking.
How do I authenticate to my API with OWASP ZAP?
How do I reuse the JWT token to be used in other HTTP requests as an header?
Is there a way I could mime what I do in the HTTP integration tests to let ZAP discover issues with HTTP paths, HTTP query parameters and so on?
How can I export the above into a script I could invoke from the command line?
EDIT 1
This is not a website with HTML or a webapp. This is just a REST API via HTTPS with requests/responses, paths, query parameters and headers.
The "Include Context" does not contain any URL. However I just tried again adding the URL I specified in the "Authentication" menu, then tried again with the "Active Scan" and nothing happens.
The login/logout regex in "Authentication" were not containing anything because there is no such "logout" - the JWT token just expires and the request to any API endpoint is not valid any more.
Anyway I added the HTTP path (not the protocol or the domain/host, just the path without any /) for the "login" URL to both the regex fields in the form on ZAP. Then tried again "Active Scan" and nothing happens.
What is this "Active Scan" supposed to do? Do I have to provide all the valid paths? What about the query parameters?
How can I obtain the JWT token from the "login" API endpoint (it's not a webpage), and reuse it as an HTTP header during the scan?
How do I passively scan any endpoint starting from e.g. the "login" API endpoint (again - not a webpage, just a REST endpoint).
EDIT 2
I am using ZAP 2.9.0 via snap on Linux, there is no other version available:
$ snap find zaproxy
Name Version Publisher Notes Summary
zaproxy 2.9.0 psiinon classic OWASP ZAP, a tool for finding vulnerabilities in web applications
$ snap install zaproxy --classic
zaproxy 2.9.0 from Simon Bennetts (psiinon) installed
EDIT 3
I added this regex https?:\/\/example.org\/.* (with my host, not "example") to:
the "Include in Context" menu item
the "Authentication" menu item in both "login" and "logout" regex patterns.
Then tried again the "Active Scan": nothing happens - no output in the tabs on the lower part of the window, no logs, no blinking semaphores.
So you seem to have missed two key details.
You didn't mention what's included in the Context, or that you'd configured Include in Context pattern(s).
Also looking at your screenshot you haven't identified logged in or logged out identifiers so zap can never know what state it is in.
How can I obtain the JWT token from the "login" API endpoint (it's not a webpage), and reuse it as an HTTP header during the scan?
In Zap 2.10 you can also setup auth polling as a verification strategy.
If you have a non-standard auth mechanism then there are various options, such as using the Replacer add-on or an HttpSender script to set/update a header/token value. As of 2.10.0 this can also be done via env vars:
https://www.zaproxy.org/docs/desktop/start/features/authentication/
What is this "Active Scan" supposed to do? Do I have to provide all the valid paths? What about the query parameters?
This is why importing OpenAPI etc is valuable. Other options are to proxy functional tests. Zap has to be aware of the content/functionality in order to test it effectively.
How do I passively scan any endpoint starting from e.g. the "login" API endpoint (again - not a webpage, just a REST endpoint).
Passive scanning takes place on proxied or spidered traffic.
The "Include Context" does not contain any URL. However I just tried again adding the URL I specified in the "Authentication" menu, then tried again with the "Active Scan" and nothing happens.
Include in Context should be a regex pattern that will match your endpoints, unless you are literally only testing a single specific URL. Ex: https?:\/\/example.org/.* (.* being regex wildcard and matching anything on example.org/)
My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.
I have internal web application, which I have to test using Jmeter.
The application has secure protections as a username, password and auth token.
Auth token is changing with every new session. I'm unable to path through secure token. Token is include in URL, which look like
http://mytraining.application.net/(S(vj1ckr0nqyvjq3blehcl2jwl))/ApplDefault.aspx?tabid=1. Cookies has look like
Cookie: AUTH_TOK_vj1ckr0nqyvjq3blehcl2jwl=vj1ckr0nqyvjq3blehcl2jwl; AUTH_TOK_syq3r1yu4equ515xzunjobhb=syq3r1yu4equ515xzunjobhb;
So, my Jmeter able to successfully run only when I submit current token in URL.
Please let me know if you have any idea, how to avoid submitting token in all places (35) every time.
[![enter image description here][1]][1]
My AUTH_TOKEN
Regular Expression
It seems you can figure you your Auth_TOK value from the cookies
Add the next line to user.properties file (located in JMeter's "bin" folder
CookieManager.save.cookies=true
Restart JMeter to pick the property up
Add HTTP Cookie Manager to your Test Plan
Now you should be able to see Cookies stored as JMeter Variables using Debug Sampler and View Results Tree listener combination and use cookies values as part of your URL
I would also recommend checking out ASP.NET Login Testing with JMeter as my expectation is that you will have to deal with few other dynamic parameters.
First try with HTTP Cookie Manager as mentioned by Dmitri. This would work if auth token is used in Headers, like Cookie header. Jmeter automatically fetches from Set-Cookie Header, set by server, (when you add HTTP Cookie Manager) for each thread and store it locally, so that it can use in subsequent requests.
If Auth token is used in other places (but not headers) such as part of Url, request body etc, then we should explicitly capture it using Regular Expression Extractor (post processor) and
Regular Expressions Jmeter to correlate the dynamic values. Once you capture the value into a local_variable, we replace the actual values by local_variable (Reference name field in Regular Expression Extractor) wherever we observe the dynamic value in subsequent requests, here auth token, using syntax ${local_variable}.