Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: add authenticated scans #5

Open
hazcod opened this issue Jun 8, 2020 · 7 comments
Open

Feature: add authenticated scans #5

hazcod opened this issue Jun 8, 2020 · 7 comments
Labels
enhancement New feature or request

Comments

@hazcod
Copy link

hazcod commented Jun 8, 2020

Add the necessary input variables to configure the ZAP authentication toggles to perform authenticated scans in your pipeline.

.e.g.

  zap_scan_cluster:
    runs-on: ubuntu-latest
    name: Scan k8s cluster
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.2.0
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://cluster.ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a'
          
          http_login_form: '/app/login'
          http_login_http_username: 'testuser'
          http_login_http_password: ${{ secrets.ZAP_USER_PW }}
@hazcod hazcod mentioned this issue Jun 8, 2020
Open
@thc202 thc202 added the enhancement New feature or request label Jun 8, 2020
@psiinon
Copy link
Member

psiinon commented Jun 8, 2020

Would definitely like to see this, but its not a simple as that ;)

@mmogy
Copy link

mmogy commented Apr 8, 2021

You can run authenticated scans by supplying a context file via cmd_options.

  1. Using ZAP Desktop, create and configure a context
  2. Export the context to a file (File > Export Context...)
    a. ⚠️ This file may contain credentials! ⚠️ If you configured passwords into the context, they will be present in the file in base64-encoded format. You should manually edit the context file to replace them with a placeholder string.
  3. After removing all base64-encoded passwords, add the context file to the repository where the ZAP Action is running
  4. Set up secrets in your repository containing the original base64-encoded passwords from the context file. These are properly encrypted within GitHub.
  5. Configure your ZAP Action to read the secrets, place them into the context file, and feed the context file to the runner.

Example:

...
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - name: Checkout
        uses: actions/checkout@v2
      - name: Context Setup
        env:
          # Set a previously defined secret as an environment variable for this step:
          B64PASSWORD: ${{secrets.B64PASSWORD}}
        # Replace the "PLACEHOLDER" string in the context file with the real base64-encoded password:
        run: |
          sed -ie "s/PLACEHOLDER/${B64PASSWORD}/" $GITHUB_WORKSPACE/ctx_file.context
      - name: OWASP ZAP Full Scan
        uses: zaproxy/action-full-scan@v0.2.0
        with:
          target: http://example.com
          # Additional command line options
          # -j   runs the AJAX spider
          # -U   specifies which user to select from the context file
          cmd_options: -j -U "my_username" -n /zap/wrk/ctx_file.context

@bhojrajjoshi2020
Copy link

@mmogy That's really a good starter to automate authenticated scan. It would be helpful if you can guide me on the below similar scenario as well.

I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.

Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.

However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.

So, the questions are:

  1. Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?
  2. Is there a way to send HttpSender script, or any other way, to put the token in each scan request?

@bhojjoshi
Copy link

@psiinon @thc202 @hazcod @mmogy Any thoughts or directions on the above question on authenticated scan?

@bhojjoshi
Copy link

This has been replied and commented here: https://groups.google.com/g/zaproxy-develop/c/mGw2we8fcIk

@tony
Copy link

tony commented Nov 8, 2021
edited
Loading

While it doesn't work with docker, https://github.com/ICTU/zap-baseline has a CLI flow with form authentication and Bearer token auth.

I created an issue there asking about their docker image supporting GitHub actions: ICTU/zap2docker-auth-weekly#41

@saad-uddin
Copy link

Hi All, can someone suggest an end-to-end workflow for zap scan using authentication ? anything works , either github action or via docker . thanks

@mogul mogul mentioned this issue Jun 27, 2023
Closed
30 tasks
@gipo355 gipo355 mentioned this issue Jun 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tony @psiinon @thc202 @hazcod @mmogy @bhojrajjoshi2020 @bhojjoshi @saad-uddin