Feature: add authenticated scans

[hazcod]

Add the necessary input variables to configure the ZAP authentication toggles to perform authenticated scans in your pipeline.

.e.g.

  zap_scan_cluster:
    runs-on: ubuntu-latest
    name: Scan k8s cluster
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.2.0
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://cluster.ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a'
          
          http_login_form: '/app/login'
          http_login_http_username: 'testuser'
          http_login_http_password: ${{ secrets.ZAP_USER_PW }}

[psiinon]

Would definitely like to see this, but its not a simple as that ;)

[mmogy]

You can run authenticated scans by supplying a context file via cmd_options.

1. Using ZAP Desktop, create and configure a context
2. Export the context to a file (File > Export Context...)
   a. ⚠️ This file may contain credentials! ⚠️ If you configured passwords into the context, they will be present in the file in base64-encoded format. You should manually edit the context file to replace them with a placeholder string.
3. After removing all base64-encoded passwords, add the context file to the repository where the ZAP Action is running
4. Set up secrets in your repository containing the original base64-encoded passwords from the context file. These are properly encrypted within GitHub.
5. Configure your ZAP Action to read the secrets, place them into the context file, and feed the context file to the runner.

Example:

...
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - name: Checkout
        uses: actions/checkout@v2
      - name: Context Setup
        env:
          # Set a previously defined secret as an environment variable for this step:
          B64PASSWORD: ${{secrets.B64PASSWORD}}
        # Replace the "PLACEHOLDER" string in the context file with the real base64-encoded password:
        run: |
          sed -ie "s/PLACEHOLDER/${B64PASSWORD}/" $GITHUB_WORKSPACE/ctx_file.context
      - name: OWASP ZAP Full Scan
        uses: zaproxy/action-full-scan@v0.2.0
        with:
          target: http://example.com
          # Additional command line options
          # -j   runs the AJAX spider
          # -U   specifies which user to select from the context file
          cmd_options: -j -U "my_username" -n /zap/wrk/ctx_file.context

[bhojrajjoshi2020]

@mmogy That's really a good starter to automate authenticated scan. It would be helpful if you can guide me on the below similar scenario as well.

I am trying to automate the docker implementation of ZAP proxy to target some of my token based web applications, which use Amazon Cognito for authentication and authorization.

Since, the target app need token as Authorization header, on ZAP Desktop application it can be done through "Authentication" and "HttpSender" scripts for fetching token from Cognito and placing it in each HTTP request of the URLs being scanned respectively.

However, for ZAP Docker, I can send a context file to it using "-n" flag, the file will also contain a reference to the "Authentication" script that I would create to fetch the token from Cognito. But I do not find a way to bind "HttpSender" script with context file or any flag that takes this file from the provided list of options given in the link above.

So, the questions are:

1. Can I use additional libraries such as AWS SDK to refer within Authentication script? How can I pass them to the ZAP Docker container so that the script can reference it at runtime?
2. Is there a way to send HttpSender script, or any other way, to put the token in each scan request?

[bhojjoshi]

@psiinon @thc202 @hazcod @mmogy Any thoughts or directions on the above question on authenticated scan?

[bhojjoshi]

This has been replied and commented here: https://groups.google.com/g/zaproxy-develop/c/mGw2we8fcIk

[tony]

While it doesn't work with docker, https://github.com/ICTU/zap-baseline has a CLI flow with form authentication and Bearer token auth.

I created an issue there asking about their docker image supporting GitHub actions: ICTU/zap2docker-auth-weekly#41

[saaduddin-ansari-sada]

Hi All, can someone suggest an end-to-end workflow for zap scan using authentication ? anything works , either github action or via docker . thanks