New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: Passive scan rule for anonymous requests #4602
Comments
You're going to need to be more specific. |
Also there's already a weak auth passive scanner for basic and digest. |
I want to alert on request that does not have any authentication (missing |
Doable, however there's a huge percentage of the web that uses form based authentication with no auth header. I'll knock together a passive script in a few hours. (Its 4am, I'm gonna try to get back to sleep for a bit ☺) |
Sleep sounds like a good idea :) I can also write the scanner, maybe we can ignore form post somehow (or alert them only when the threshold is low). |
This is un-tested, but I said I'd knock something together today so here it is: anon-pasv-scanner.js /**
* This script checks whether resources (URLs) are successfully accessed (Status 200 - Ok)
* on a request which did not have an authorization header.
*
* Note: This is a passive script not an active script: As such the Authorization header
* is not forcefully removed prior to making the request. This script will only alert if a
* request is proxied (or initiated via the spider(s), etc) which does not have an Authorization
* header, and subsequently passively scanned.
*/
function scan(ps, msg, src)
{
alertRisk = 1
alertReliability = 2
alertTitle = "Resource Allows Anonymous Access"
alertDesc = "The web/application server allowed access without any Authorization header on the request."
alertSolution = "Ensure that the application appropriately requires authentication and authorization."
cweId = 0
wascId = 0
url = msg.getRequestHeader().getURI().toString();
headers = msg.getRequestHeader().getHeaders("Authorization");
// Might want to check here to see if the URL is in scope: msg.isInScope()
if (headers == null && msg.getResponseHeader().getStatusCode() == 200)
{
ps.raiseAlert(alertRisk, alertReliability, alertTitle, alertDesc, url, '', '', '', alertSolution, headers, cweId, wascId, msg);
}
} |
That looks promising :) This is not a rule, right? I need to add this script to Zap? Also, why not create a regular rule? |
I was just putting something together to get you going. You could make a normal java based passive scanner and add it to the alpha branch. Yes it’s a script you’d have to add it via the script tree and ensure it’s enabled. Then make sure Script Passive Scanner are enabled on options. |
Any reason not to use the Access Control Testing add-on? [1] (It also allows to raise alerts.) Seems more appropriate than a passive scanner (which will pretty much raise an alert on every page/site). [1] https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts |
Another reason I implemented this as a script is because it seemed more like a minority case than the norm. I do not have stats to back me up, however, I feel that there are more use of form/cookie based authentication than authorization header. @thc202 is right though, may as well use the Access Control Testing extension. |
yeah, agree that this specific test is best as a script, and that hopefully the access control add-on is actually more useful :) |
I'll try to play a bit with that add-on, I need to dig in and look how I can use it from code and if I can use it from a passive scan. If that will not work, I'll try the scrip. I agree this is could be a minor use case, but worth asking. The security requirement (all endpoint must be authenticated) make sense to me, guess I'm not the only one. |
Ok, I was trying to play with both options. The access control plugin is a lot more complex that what I need, and the script approach is also complicated (see issue #4626). Can I create an addon for rules relevant only to Soluto? How can we distribute it? |
Yes, you can definitely create an add-on :) |
You can create a Active Scan policy and re-use it, via the API. You can also choose which passive scanners you want enabled or disabled and set that via the API. Which would include enabled Active or Passive scan scripts. |
The problem is the enabled part - by default they wont be enabled. |
|
My problem is that I want to have Zap running on any micro-services at Soluto. That is where I want to get to, and because of that - I want to do most of the customization on the Docker image, because there I have more control. All of them will use the same Docker image (which is this one) - and then, if I add a role all the services will get it and start using it. This is why I'm trying so hard doing it without the API. |
1 similar comment
My problem is that I want to have Zap running on any micro-services at Soluto. That is where I want to get to, and because of that - I want to do most of the customization on the Docker image, because there I have more control. All of them will use the same Docker image (which is this one) - and then, if I add a role all the services will get it and start using it. This is why I'm trying so hard doing it without the API. |
If you are using a custom docker image you could configure ZAP to your needs as well (e.g. bundle the scripts and tweak ZAP config.xml file to include/enable it)? Or that's not flexible enough? |
That what I tried (see the discussion on #4626), but it wasn't that simple. Basically, I need to choice what I prefer to implement - addon, or cmd option to load a script :) |
I meant when building the image include the scripts and the custom config.xml to add/enable the script. |
oh, I didn't know about that option - can you post on the other issue how to do that? Or a link to the wiki? |
This is more a Docker change than ZAP, once you have the scripts and the config.xml file (e.g. created with the GUI) you can copy them when building the image to override the ones of the base image. |
That was a good hint, looking on the file generating by the GUI, look like I need something like that:
|
I should have mentioned this option as well :) |
Thanks for letting us know :) |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
As all anonymous requests might be a security issue, I would like to have a rule to detect such requests and report them.
Later this rule could also check for insecure authentication (basic, OAuth 1 etc) and alert also on those.
What do you think?
The text was updated successfully, but these errors were encountered: