New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automated authentication detection and configuration #4105
Comments
@Tisa-Segovic are you still planning on working on this? |
Would like to work on this project any ideas or steps to how to achieve . @psiinon |
@codesahil : Start one step at a time. |
@Tisa-Segovic are you still planning on working on this? |
Kajans blog: https://kajanm.github.io/gsoc.html |
May also be worth updating (https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication) as work progresses |
@binarymist the zap-core-help wiki is generated from the help pages when we do a full release. |
Do you have a plan to provide the python scripts, e.g. zap-baseline.py, zap-full-scan.py with auth-related options, something like the cmdline arguments in https://github.com/ICTU/zap-baseline? The problem of the ICTU version script is it's pretty unstable and randomly generated 0-length reports |
I did raise ICTU/zap2docker-auth-weekly#5 but I was a bit concerned about the implementation as it looked like it could be a bit unstable :/ |
Thank you for the message! @psiinon |
I believe the |
Yeah, this could be a tracker issue .. have assigned it to me and will add checkboxes to the first comment... |
Wow, raised in 2017 😁 |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Have converted this issue into a tracker:
Currently a user must manually configure ZAP to handle authentication, eg as per https://github.com/zaproxy/zaproxy/wiki/FAQformauth
This is time consuming and error prone.
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
There are lots of aspects to this project, but hopefully its possible to address them one at a time and gradually improve ZAP.
A good start would be to help detect login and registration pages. A good start would be flagging pages with forms that have either one or two password fields - one could imply login and 2 could imply registration.
We already detect session cookies so a combination of login form detection of session cookie detection would allow us to set up some of the auth config automatically.
Identifying logged in/out indicators is harder, but if the user provides some example credentials then we can request pages when using and not using those creds and suggest some strings that could be used.
The user interface is important to this development, but so is automation - it would be great to be able to just specify example credentials and for ZAP to be able to do the rest in many cases.
Testing against a wide variety of apps is key here.
The text was updated successfully, but these errors were encountered: