Authentication Support for Zap Scans

Table of Contents

An authenticated Zap scan is vulnerability testing performed as an authenticated or “logged in” User. Deepfactor Zap Scans support four types of Authentication:

Deepfactor Intercepted Token

An intercepted Authentication header/token.

 

Custom Token Authorization

A custom HTTP Authorization token, or value, may be specified.

 

Form

Using an HTML form template, Deepfactor will pass the form and user credentials to the ZAP scan service.

  • To use the Form, select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.
  • Specify the URIs to include or exclude, and select “Form” for Authentication Type and Logon URI.
  • Enter a Username and Password and Form Data.

 

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.

Supporting OWASP documentation:: ZAP Form Authentication.
https://www.zaproxy.org/docs/api/#form-based-authentication

Script

Deepfactor can pass scripts and user credentials for ZAP scanning using custom JavaScript that performs authentication.

  • To implement scans with a Script, first select Existing Web Service, Custom scan configuration type, Host, Web Scan, and Scan Strength.

 

  • Next, specify the URIs to include or exclude, and select “Script” for Authentication Type and Logon URI.
  • Enter a Username and Password and Log In and Out indicators and click Start Scan.

 

Note: Please see Deepfactor vs. ZAP Form/Script Authentication Differences.

Supporting OWASP documentation: ZAP Script Authentication:
https://www.zaproxy.org/docs/api/#script-based-authentication

Sample Scripts
GitHub Icon https://github.com/zaproxy/zap-api-docs/tree/master/source/scripts – Connect to preview
GitHub Icon https://github.com/zaproxy/community-scripts/tree/master/authentication – Connect to preview

 

Deepfactor vs. ZAP Form/Script Authentication Differences #

  • Only JavaScript scripts are currently supported.
  • Specify URI paths vs. URLs in field options.
  • Deepfactor will route scan requests through a proxy with a virtual application (web service) hostname. If a script requires a URL to properly scrape or construct a request from a Script parameter, then use the string literal below in any Script parameter value: 
    {%df_virtual_host%}
  • Deepfactor Include and Exclude URI expressions for ZAP Context
  • Deepfactor will convert URI path expressions to ZAP URL expressions. The default included URI expression if none are supplied is: 
    /.*

     

    Deepfactor will automatically prepend the resolved

    http://{%df_virtual_host%}

    to each URI expression if

    {%df_virtual_host%}

    is not already provided in the expression.

  • Deepfactor will also auto-include a LogInURI and LogInPageURI in the ZAP Context.
    Exclude URIs: a regular expression used to match and exclude paths from the ZAP spider and scan.
    Deepfactor Exclude URI is a general-purpose feature to prevent ZAP from spidering or scanning a given URI path on a web service. This can be utilized to prevent the scanner from performing a logout or to avoid endpoints that adversely affect scan performance.
    Unlike ZAP Exclude URL regular expressions, Deepfactor Exclude URI, or paths, must not include the protocol:/host:port in the expression or start with a line control character[1] unless replacing ‘host’ with {%df_virtual_host%}.
    [1]'A' or '^'

Supporting OWASP documentation: ZAP Scan General Steps https://www.zaproxy.org/docs/api/#general-steps

Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Demo

SUBSCRIBE TO OUR NEWSLETTER!

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure