ZAP Authentication for recorded api calls

0
votes

Im automating security scans by proxying my UI tests via Zap. For each security scan run, new zap session is created and requests are proxied.

In our App, access token from login api's response is set in authentication header for authentication purpose. When I proxy my tests via zap, headers are also recorded and stored in ZAP along with request payload, url etc.

If

  1. token recorded by zap along with request is still valid during active scan (not expired or not invalidated)
  2. headers are excluded from ascan attack vectors (which is the default setting)

I was assuming I can get active scan work on apis (which require authentication also) without setting authentication, users, forced users, session management etc in Context.

Im not sure how to validate this!

Can anyone help with below

  1. Is my above assumption of "header recorded is good enough for ZAP to ascan" correct in my scenario ? (only payload, params etc will be tampered)
  2. Whats the advantage of setting authentication, users, forced users, session management etc in Context for automated security scan?

Thank you in advance.

1
zapzapproxy

1 Answers

1
votes

Authentication is a pain. A complete pain. There are so many different ways that apps authenticate, and all apps have their own quirks. If the token remains valid then yes, in theory that should be ok. But how you validate this will completely depend on your app. What does it to if the token is invalid? Will it return 403? You can use ZAP stats to work out if it looks like the requests are authenticated, and if ZAP doesnt currently recored the stats you need then you can add them via scripts.

The advantage of setting authentication etc etc is that when set correctly then ZAP should detect if a token is invalidated (which happens all too often when attacking an app) and can then reauthenticate.

Handling authentication is hard (not just in ZAP, but in all security tools). For more help you're probably better off asking on the ZAP user group: https://groups.google.com/group/zaproxy-users

Also have a look at the ZAP in Ten video seried - esp the ADDO Workshop ones where I go into authentication in a lot more detail: https://www.alldaydevops.com/zap-in-ten