Provide authenticated login for webscans #21

de-jcup · 2019-08-02T13:41:45Z

At the moment web scans are only done unauthenticated.
This reduces possibility of finding vulnerabilities much.

Current config (anonymous only)

{

	"apiVersion": "1.0",

	"webScan"   : {
               "uris": ["https://productfailure.demo.example.org"]
         }
}

Provided login mechanism

Some web scanners provide different authentication methods:

basic
form based
- automated
- scripted
- recorded

We want to provide all of them without being product specific.
Basic and form based automated are simple - for "scripting or "recorded" this will be tricky.

Handle basic login

just provide product with information

Handle form based automated login

just provide product with information

Handle recorded or scripted logins

"Recorded" is a little bit "evil" when wanting to be product independent. Scripting as well. To solve this we will provide a scripting part where operations can be described in a very simple way. A product dependent script will be generated. If the product needs a recorded script/file, we will generate the record entry... All necessary metadata should be available when defining necessary script steps inside configuration.

de-jcup · 2019-09-18T07:20:42Z

JSON format

The next example json shows up different login configurations at once. In real world scenario only one.
So only basic or form in combination of either autodetect or script should be used.

{
    "apiVersion": "1.0",
    "webScan": {
        "uris": [
            "https://productfailure.demo.example.org"
        ],
        "login": {
            "url": "https://productfailure.demo.example.org/login",
            "basic": {
                "realm": "${{ .LOGIN_REALM }}",
                "user": "${{ .LOGIN_USER }}",
                "password": "${{ .LOGIN_PWD }}"
            },
            "form": {
                "autodetect": {
                    "user": "${{ .LOGIN_USER }}",
                    "password": "${{ .LOGIN_PWD }}"
                },
                "script": [
                    {
                        "step": "username",
                        "selector": "#example_login_userid",
                        "value": "${{ .LOGIN_USER }}"
                    },
                    {
                        "step": "password",
                        "selector": "#example_login_pwd",
                        "value": "${{ .LOGIN_PWD }}"
                    },
                     {
                        "step": "input",
                        "selector": "#example_additional_locaion_field",
                        "value": "munich"
                    },
                    {
                        "step": "click",
                        "selector": "#example_login_login_button"
                    }
                ]
            }
        }
    }
}

The example above would be suitable for our go client. The client would replace LOGIN_USER and LOGIN_PWD template variables with dedicated entries from environment. So passwords would not be inside the configuration file and are injectable at runtime (e.g. on a Jenkins Build by secret credentials)

Projects not using go client but having a direct approach would be responsible itself to ensure their secrets are not leaked: Either use a generated config file at runtime, or provide placeholders like done in go client by themselfes (e.g. a ${loginUser} ) etc.

We provide following step types:

input
Use this to setup an input field. Needs selector and value
username
Same as input, but tagged as being credential part. SecHub will try to hide this information where
possible. Please use this for username at login.
password
Same as input, but tagged as being credential part. SecHub will try to hide this information where
possible. Please use this for password at login.
click
Use this to do a click operation. Needs only selector.

- implemented configuration and mapping to json - added tests for login example configurations On behalf of Daimler TSS GmbH.

- moved configuration parts into own document - sechub scan configuration documentation now inside rest documentation as well, so content available for people using REST directly as well - client documention contains configuration parts also, but examples are now only inside configuration block - the client examples just reference them inside document. On behalf of Daimler TSS GmbH.

- rest documentation failed because of new optional login information. added field and marked as optional.

- providing basic login parts in builder + test - providing formAutomated login parts in builder + test - providing formScript login parts in builder + test - removed unused SSLContextFactory On behalf of Daimler TSS GmbH.

- because extreme cumbersome and error prone to setup and copy login values from sechub web scan configuration into adaper configuratoin a new way for configuring adapters by builders is introduced: `AdapterConfigurationStrategy`. Such strategy is able to configure builder and is reusable between different product executors. - Having implemented now three strategies: - OneInstallSetupConfigBuilderStrategy - WebLoginConfigBuilderStrategy - TargetIdentifyingMultiInstallSetupConfigBuilderStrategy this will reduce boiler plate code in future In behalf of Daimler TSS GmbH.

- adding netsparker test application - refactored weblogin config builder strategy + bugfix (url was missing). - Test file support does now no longer add a new line at the end - netsparker implementation for basic auth web login - updated also application-postgres.properties so no longer using fix IP address but localhost as default for development... - upgraded generated images for documentation On behalf of Daimler TSS GmbH.

de-jcup · 2019-09-30T12:24:16Z

Netsparker

- basic auth was not correct in test case, fixed now On behalf of Daimler TSS GmbH.

- some tests changed, some added - netsparker config builder does now refuses multiple root target uris because netsparker uses webpages as identifiers. On behalf of Daimler TSS GmbH.

- netsparker script generator added + test case - login support improved for form auto detect login - integrated custom scripts into scan mechanism - scripted login and form auto detect are now working On behalf of Daimler TSS GmbH.

de-jcup · 2019-10-08T15:44:19Z

Client parts will be done on another issue, so closing this isue.