PA-13820 Support regex for authVerificationURL (#112)

* PA-13820 Support regex for authVerificationURL
soos-io · Apr 24, 2024 · 969d1d1 · 969d1d1
1 parent 6aaff3a
commit 969d1d1
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ The basic command to run a baseline scan would look like:
 | `--authSubmitField` |  | Submit button id to use when authentication is required |
 | `--authUsername` |  | Username to use when authentication is required |
 | `--authUsernameField` |  | Username input id to use when authentication is required |
-| `--authVerificationURL` |  | URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. |
+| `--authVerificationURL` |  | URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. Supports plain URL or regex URL.|
 | `--bearerToken` |  | Bearer token to authenticate |
 | `--branchName` |  | The name of the branch from the SCM System |
 | `--branchURI` |  | The URI to the branch from the SCM System |

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "soos-dast",
-  "version": "2.0.31",
+  "version": "2.0.32",
   "description": "SOOS DAST - The affordable no limit web vulnerability scanner",
   "main": "index.js",
   "scripts": {

diff --git a/src/index.ts b/src/index.ts
@@ -152,7 +152,7 @@ class SOOSDASTAnalysis {
     });
 
     analysisArgumentParser.argumentParser.add_argument("--authVerificationURL", {
-      help: "URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated.",
+      help: "URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. Supports plain URL or regex URL.",
       required: false,
     });
 

diff --git a/src/zap_hooks/helpers/auth.py b/src/zap_hooks/helpers/auth.py
@@ -114,14 +114,15 @@ def validate_authentication_url(driver, url):
     log(f"Validating authentication url: {url}")
     url_found = False
     for request in driver.requests:
-        if request.response and url in request.url:
+        if request.response and (url in request.url or search(url, request.url) is not None):
             url_found = True
-            log(f"Checking response status code {request.response}")
+            log(f"Checking response status code {request.response} for {request.url}")
             if request.response.status_code not in [200, 302]:
                 log(f"Status code is not 200/302 for {request.url}, it is {request.response.status_code}")
                 sys.exit(1)
             else: 
                 log(f"Status code is {request.response.status_code} for {request.url}, authentication was successful")
+                break
     if not url_found:
         log(f"Authentication url {url} was not found, authentication failed.")
         sys.exit(1)