Add more features to Access Control Add-on

[njmulsqb]

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

As discussed in https://groups.google.com/g/zaproxy-users/c/OzrzuhEWmHc new features need to be added to Access Control add-on to make it more useful in RBAC testing.

---

• Ability to just replace cookies/auth header: As of now add-on is using hard-core authentication to authenticate as another user (low-privileged) added in users section of each context but this could be made much simpler by just replacing the cookies of other user. Cookie/auth header can be fed into ZAP by the user manually. This can help with app's having tricky authentication that ZAP can't help with.
• Testing access control on the run: Add-on demands mentioning the permissions for each URL endpoint for each user which can become daunting for bigger site trees. Also, in some cases the URL endpoint might not be in the site tree or you might not know if the user should be allowed to access it or not for example in case of some API calls, so populating the tree first, then defining the access rules and then launching the attack is not feasible. Access control add-on should allow the user to test the access control issues while the user browses through different areas of web app
  • It should see if both the requests (the one using high priv user Vs. the one using low priv user) have response of same length and status code then it should show this as red indicating that this could be a possible access control issue.
• Ability to Copy URL: User should be able to copy the URL from the access control tab of each request. - accessControl: Various tweaks or enhancements zap-extensions#5317
• Highlight the requests: In the add-on tab, there should be option to add colors/notes to each request.
• Testing a single URL again: What if I want to test one specific URL again? It seems like I need to run the whole attack again which isn't very ideal.
• Import/Export Add-on State: I would love if I have the feature to save state of add-on and export it in file and later be able to import it. Saving the whole session for it again isn't ideal when that feature also doesn't work well with bigger files.
• Add Export Button to Output Panel: It an currently be copy/pasted but should have export like other tables. (Similar to: bruteforce: Add export button zap-extensions#2071) - accessControl: Various tweaks or enhancements zap-extensions#5317
• Title Caps: Looks like the add-on could also use some General - Fix Title Caps #2000 tweaks - accessControl: Various tweaks or enhancements zap-extensions#5317
  
• Output Font Consistency?: It seems like the output table specifically sets the font smaller then other general font use in ZAP - accessControl: Various tweaks or enhancements zap-extensions#5317
  
  https://github.com/zaproxy/zap-extensions/blob/6a4f8bc7de3381c08f976d85da1518561ec71d5b/addOns/accessControl/src/main/java/org/zaproxy/zap/extension/accessControl/view/AccessControlStatusPanel.java#L124 ➡ Specifically sets 11pt
  https://github.com/zaproxy/zap-extensions/blob/6a4f8bc7de3381c08f976d85da1518561ec71d5b/addOns/accessControl/src/main/java/org/zaproxy/zap/extension/accessControl/view/AccessControlStatusPanel.java#L148 ➡ Specifically sets 11pt
• Testing unauthenticated requests: With access control add-on it should also have option to send requests without any cookie or auth to the endpoint to see if it is still accessible or not. Though it's rare but I have seen cases where authenticated pages allowed access without authentication as well.

Describe alternatives you've considered

Autorize, Autorepeater Burp Extensions

Screenshots

No response

Additional context

No response

Would you like to help fix this issue?

• Yes

[kingthorin]

Tracker'ified 😀

[kingthorin]

but this could be made much simpler by just replacing the cookies of other user. Cookie/auth header can be fed into ZAP by the user manually. This can help with app's having tricky authentication that ZAP cant help with.

That would require the user to ensure (somehow) that the session/cookie didn't invalidate as ZAP would have no way to re-auth.

If you have actual examples of auth ZAP can't handle please provide them in other tickets.

[njmulsqb]

That would require the user to ensure (somehow) that the session/cookie didn't invalidate as ZAP would have no way to re-auth.

Yes, this doesnt hurt much tbh, while testing I start getting 403 or 302 to login page which shows cookie has expired so I just replace it in autorize. This can be an optional feature on top of current working of auth.

If you have actual examples of auth ZAP can't handle please provide them in other tickets.

I dont know if its ZAP not handling auth well or me not handling ZAP well, but nevertheless I am struggling with it and has already posted at https://groups.google.com/g/zaproxy-users/c/33ZGm6r-k-8

[kingthorin]

Added a few more tasks.

[njmulsqb]

Added one more task

[thc202]

It's already possible to test with unauthenticated user.