-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide authenticated login for webscans #21
Comments
JSON formatThe next example json shows up different login configurations at once. In real world scenario only one. {
"apiVersion": "1.0",
"webScan": {
"uris": [
"https://productfailure.demo.example.org"
],
"login": {
"url": "https://productfailure.demo.example.org/login",
"basic": {
"realm": "${{ .LOGIN_REALM }}",
"user": "${{ .LOGIN_USER }}",
"password": "${{ .LOGIN_PWD }}"
},
"form": {
"autodetect": {
"user": "${{ .LOGIN_USER }}",
"password": "${{ .LOGIN_PWD }}"
},
"script": [
{
"step": "username",
"selector": "#example_login_userid",
"value": "${{ .LOGIN_USER }}"
},
{
"step": "password",
"selector": "#example_login_pwd",
"value": "${{ .LOGIN_PWD }}"
},
{
"step": "input",
"selector": "#example_additional_locaion_field",
"value": "munich"
},
{
"step": "click",
"selector": "#example_login_login_button"
}
]
}
}
}
}
The example above would be suitable for our go client. The client would replace LOGIN_USER and LOGIN_PWD template variables with dedicated entries from environment. So passwords would not be inside the configuration file and are injectable at runtime (e.g. on a Jenkins Build by secret credentials) Projects not using go client but having a direct approach would be responsible itself to ensure their secrets are not leaked: Either use a generated config file at runtime, or provide placeholders like done in go client by themselfes (e.g. a ${loginUser} ) etc. We provide following step types:
|
- implemented configuration and mapping to json - added tests for login example configurations On behalf of Daimler TSS GmbH.
- moved configuration parts into own document - sechub scan configuration documentation now inside rest documentation as well, so content available for people using REST directly as well - client documention contains configuration parts also, but examples are now only inside configuration block - the client examples just reference them inside document. On behalf of Daimler TSS GmbH.
- rest documentation failed because of new optional login information. added field and marked as optional.
- providing basic login parts in builder + test - providing formAutomated login parts in builder + test - providing formScript login parts in builder + test - removed unused SSLContextFactory On behalf of Daimler TSS GmbH.
- because extreme cumbersome and error prone to setup and copy login values from sechub web scan configuration into adaper configuratoin a new way for configuring adapters by builders is introduced: `AdapterConfigurationStrategy`. Such strategy is able to configure builder and is reusable between different product executors. - Having implemented now three strategies: - OneInstallSetupConfigBuilderStrategy - WebLoginConfigBuilderStrategy - TargetIdentifyingMultiInstallSetupConfigBuilderStrategy this will reduce boiler plate code in future In behalf of Daimler TSS GmbH.
- adding netsparker test application - refactored weblogin config builder strategy + bugfix (url was missing). - Test file support does now no longer add a new line at the end - netsparker implementation for basic auth web login - updated also application-postgres.properties so no longer using fix IP address but localhost as default for development... - upgraded generated images for documentation On behalf of Daimler TSS GmbH.
NetsparkerBasic authenticationREST documentationhttps://your-netsparker-server/docs/index#!/Scans/Scans_New Form authenticationREST documentation |
- basic auth was not correct in test case, fixed now On behalf of Daimler TSS GmbH.
- some tests changed, some added - netsparker config builder does now refuses multiple root target uris because netsparker uses webpages as identifiers. On behalf of Daimler TSS GmbH.
- netsparker script generator added + test case - login support improved for form auto detect login - integrated custom scripts into scan mechanism - scripted login and form auto detect are now working On behalf of Daimler TSS GmbH.
Client parts will be done on another issue, so closing this isue. |
- implemented configuration and mapping to json - added tests for login example configurations On behalf of Daimler TSS GmbH.
- moved configuration parts into own document - sechub scan configuration documentation now inside rest documentation as well, so content available for people using REST directly as well - client documention contains configuration parts also, but examples are now only inside configuration block - the client examples just reference them inside document. On behalf of Daimler TSS GmbH.
- rest documentation failed because of new optional login information. added field and marked as optional.
- providing basic login parts in builder + test - providing formAutomated login parts in builder + test - providing formScript login parts in builder + test - removed unused SSLContextFactory On behalf of Daimler TSS GmbH.
- because extreme cumbersome and error prone to setup and copy login values from sechub web scan configuration into adaper configuratoin a new way for configuring adapters by builders is introduced: `AdapterConfigurationStrategy`. Such strategy is able to configure builder and is reusable between different product executors. - Having implemented now three strategies: - OneInstallSetupConfigBuilderStrategy - WebLoginConfigBuilderStrategy - TargetIdentifyingMultiInstallSetupConfigBuilderStrategy this will reduce boiler plate code in future In behalf of Daimler TSS GmbH.
- adding netsparker test application - refactored weblogin config builder strategy + bugfix (url was missing). - Test file support does now no longer add a new line at the end - netsparker implementation for basic auth web login - updated also application-postgres.properties so no longer using fix IP address but localhost as default for development... - upgraded generated images for documentation On behalf of Daimler TSS GmbH.
- basic auth was not correct in test case, fixed now On behalf of Daimler TSS GmbH.
- some tests changed, some added - netsparker config builder does now refuses multiple root target uris because netsparker uses webpages as identifiers. On behalf of Daimler TSS GmbH.
- netsparker script generator added + test case - login support improved for form auto detect login - integrated custom scripts into scan mechanism - scripted login and form auto detect are now working On behalf of Daimler TSS GmbH.
At the moment web scans are only done unauthenticated.
This reduces possibility of finding vulnerabilities much.
Current config (anonymous only)
Provided login mechanism
Some web scanners provide different authentication methods:
We want to provide all of them without being product specific.
Basic and form based automated are simple - for "scripting or "recorded" this will be tricky.
Handle basic login
just provide product with information
Handle form based automated login
just provide product with information
Handle recorded or scripted logins
"Recorded" is a little bit "evil" when wanting to be product independent. Scripting as well. To solve this we will provide a scripting part where operations can be described in a very simple way. A product dependent script will be generated. If the product needs a recorded script/file, we will generate the record entry... All necessary metadata should be available when defining necessary script steps inside configuration.
The text was updated successfully, but these errors were encountered: