ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication
Apache License 2.0
104 stars 72 forks source link

Add Azure Active Directory Scan with Oauth2 #24

Open CurlyBytes opened 4 years ago

CurlyBytes commented 4 years ago

Hi i did stumble your article, i did amaze on how you customize the scripts(not a python developer here)

do you have any example on how to do it on Single Sign On scan application? like using Azure Active directory, by supplying, client id, client password/secret and scope

Thanks a lot

dicksnel commented 4 years ago

Hi @cocoytech , do you have an example app I can test with?

This should already be supported, you can provide the login URL and the hook will try to login.

CurlyBytes commented 4 years ago

Hi @cocoytech , do you have an example app I can test with?

This should already be supported, you can provide the login URL and the hook will try to login.

This is application is using single sign on, but 2 things matter:

dicksnel commented 4 years ago

@cocoytech so if I understand it correctly you would like a feature that:

CurlyBytes commented 4 years ago

@dicksnel Exactly, thank you for this one sir, it would be valuable to us a nonprofit organization gearing to digital transformation

JossSparkesAnswer commented 3 years ago

@dicksnel I'm aware you're already working on this I'd just like to second that it would be very useful. Currently trying to do the same flow but getting the token from AWS Cognito. Thanks for the work, let me know if you need any testing done and I'd be happy to help.

I will list the curl request that can be used to get the token below if that is useful for you


curl --location --request POST $COGNITOURL \
--header 'x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data-raw '{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "'"$CLIENT_ID"'",
    "AuthParameters": {
        "USERNAME": "'"$USERNAME"'",
        "PASSWORD": "'"$PASSWORD"'"
    },
    "ClientMetadata": {}
}'
dicksnel commented 3 years ago

@JossSparkesAnswer I think it will get too complex to make a generic implementation for this. I'm thinking you could run the curl command before starting zap and then passing the response as a parameter to the docker run command. Then the auth plugin will parse the response and add the token to all requests.

Something like this:

response = curl xxx
docker run ... -z auth_token_response=$response

Can you post an example reponse that will be returned by Cognito?

JossSparkesAnswer commented 3 years ago

@JossSparkesAnswer I think it will get too complex to make a generic implementation for this. I'm thinking you could run the curl command before starting zap and then passing the response as a parameter to the docker run command. Then the auth plugin will parse the response and add the token to all requests.

Something like this:

response = curl xxx
docker run ... -z auth_token_response=$response

Can you post an example reponse that will be returned by Cognito?

@dicksnel that makes sense, this was what I was trying to originally achieve but could not figure out how to pass the code through. Being able to pass it through would probably solve all the Oauth2 issues. So the full bash command we use is

curl --location --request POST '$COGNITOURL'\
--header 'x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data-raw '{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "'"$CLIENT_ID"'",
    "AuthParameters": {
        "USERNAME": "'"$USERNAME"'",
        "PASSWORD": "'"$PASSWORD"'"
    },
    "ClientMetadata": {}
}' | jq '.AuthenticationResult.IdToken' | xargs

This spits out just the section after "Bearer" in the auth token e.g.


eyJraxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
dicksnel commented 3 years ago

@JossSparkesAnswer in that case I could add an extra config parameter, for example auth.bearer_token=eyJrxxxx. Using this the authentication module will not attempt to perform authentication but will just force the token on each request. Would that resolve this for you?

JossSparkesAnswer commented 3 years ago

@dicksnel yeah I’m pretty sure that will work perfectly for my instance, thanks

dicksnel commented 3 years ago

@JossSparkesAnswer I just added the param auth.bearer_token. Could you give this a try? If you pass it a JWT token (eyJ...) it should force this token as the Authorization: Bearer on all requests.

The Docker image is still building when it is done you can pull it: https://hub.docker.com/r/ictu/zap2docker-weekly/tags?page=1&ordering=last_updated

JossSparkesAnswer commented 3 years ago

@dicksnel Thanks for the quick work!

It seems to not be working atm here. A little hard to debug but I think I may have a guess on the issue.

Our webpage is very dumb and the API in the back does all the work. So I pointed the target to the frontend e.g. "-t https://{url}/projects" and I presume the authorization header gets added there which is fine but it doesn't actually authorize anything

Typically then the API is called which needs the authorization header e.g. {apiURL}/project. I have included this in my auth.include with the base url and a wildcard after but I wonder if the authorization header is only being added to the target or if it is to all requests?

dicksnel commented 3 years ago

@JossSparkesAnswer auth.include was intended for this, but maybe there is a bug. I will try to setup a test environment and discover why it is not working.

JossSparkesAnswer commented 3 years ago

@dicksnel let me know if there is anything more I could do. I can send you debug logs I would just have to remove all sensitive data

erno1978 commented 8 months ago

Hello @JossSparkesAnswer / @CurlyBytes We are currently reviewing if there's still a usecase for this repository because in the meanwhile, ZAP seems to have included the same functionality. Do you (still) have a specific reason to use this repostory instead of the "original ZAP"?

Sorry this answer took 2.5 years, but there's been a small shift in people working on this repository. :-)