Automated authentication detection and configuration

[psiinon]

Have converted this issue into a tracker:

• Authentication detection & configuration
• Session management detection & configuration
• Verification detection & configuration
• Browser based authentication
• Automated authentication configuration

Currently a user must manually configure ZAP to handle authentication, eg as per https://github.com/zaproxy/zaproxy/wiki/FAQformauth
This is time consuming and error prone.
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
There are lots of aspects to this project, but hopefully its possible to address them one at a time and gradually improve ZAP.
A good start would be to help detect login and registration pages. A good start would be flagging pages with forms that have either one or two password fields - one could imply login and 2 could imply registration.
We already detect session cookies so a combination of login form detection of session cookie detection would allow us to set up some of the auth config automatically.
Identifying logged in/out indicators is harder, but if the user provides some example credentials then we can request pages when using and not using those creds and suggest some strings that could be used.
The user interface is important to this development, but so is automation - it would be great to be able to just specify example credentials and for ZAP to be able to do the rest in many cases.
Testing against a wide variety of apps is key here.

[psiinon]

@Tisa-Segovic are you still planning on working on this?

[codesahil]

Would like to work on this project any ideas or steps to how to achieve . @psiinon

[psiinon]

@codesahil : Start one step at a time.
As mentioned above "A good start would be flagging pages with forms that have either one or two password fields - one could imply login and 2 could imply registration."
Passive scan rules would be good for that, so try writing one of those. Then try to find a good range of test sites / apops and see how well it works against them.

[kingthorin]

@Tisa-Segovic are you still planning on working on this?

[psiinon]

Kajans blog: https://kajanm.github.io/gsoc.html
Doc detailing Web App Auth Schemes: https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit

[binarymist]

May also be worth updating (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication) as work progresses

[psiinon]

@binarymist the zap-core-help wiki is generated from the help pages when we do a full release.
The help pages should definitely be updated but the wiki will only be updated when those changes are part of a full release.

[tumluliu]

Do you have a plan to provide the python scripts, e.g. zap-baseline.py, zap-full-scan.py with auth-related options, something like the cmdline arguments in https://github.com/ICTU/zap-baseline? The problem of the ICTU version script is it's pretty unstable and randomly generated 0-length reports

[psiinon]

I did raise ICTU/zap2docker-auth-weekly#5 but I was a bit concerned about the implementation as it looked like it could be a bit unstable :/
This project which @KajanM is working on is all about improving authentication via ZAP. I'd love us to be able to extend the python scripts to automatically handle authentication but its complicated to handle all situations so I'm afraid it will take a while.

[tumluliu]

Thank you for the message! @psiinon
I tried making a context file with ZAP desktop app with some manual steps according to this FAQ you recommended in some other threads. I can export an xml context file now, and about to pass it as a parameter to the zap-baseline script. Do you think this is the correct way to achieve the target?

[ricekot]

I believe the authhelper add-on now offers some of the basic features that are requested in this issue. Should we close this issue, or convert it into a tracker for future work on the add-on?

[psiinon]

Yeah, this could be a tracker issue .. have assigned it to me and will add checkboxes to the first comment...

[psiinon]

Wow, raised in 2017 😁

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.