search

zaproxy / action-baseline

A GitHub Action for running the ZAP Baseline scan
Apache License 2.0
314 stars 58 forks source link

Automation Framework - compatible with config file / basic auth? #68

Open a-h opened 2 years ago

a-h commented 2 years ago

I'm using the ZAP baseline action to scan an application that, in the testing environment, is protected by basic auth.

I documented how to do this here: https://adrianhesketh.com/2020/07/07/owasp-baseline-scan-with-basic-auth-in-docker-github-actions/

It requires the use of a config file:

replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Basic dXNlcjpwYXNzd29yZAo=

And setting the parameter to use it.

When I tried out the same approach this year, I got the following errors:

Digest: sha256:e2b5720d9cccfea0f2aa3b3e83bc1acd26345b949fcc3a4e60aa916cb2d5989f                                       
Status: Downloaded newer image for owasp/zap2docker-stable:latest                                                     
2021-11-29 12:12:25,469 Could not find custom hooks file at /home/zap/.zap_hooks.py                                   
Using the Automation Framework                                                                                        
Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v27/pscanrulesBeta-beta-27.zap                                                                                                          
Add-on downloaded to: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-27.zap                                                
Automation plan failures:                            
        Job spider failed to access URL https://xxxxxx/ status code returned : 404 expected 200   
2021-11-29 12:12:45,217 Failed to access summary file /home/zap/zap_out.json

However, bypassing the Automation Framework with the --autooff flag got me the expected results - a working scan.

docker run -v $(pwd):/zap/wrk/ -t owasp/zap2docker-stable zap-baseline.py \
    -t https://xxxxxxxxxxxxxxx \
    -z "-configfile /zap/wrk/zap/options.prop" --autooff

Not sure how to proceed....

cruddasj commented 2 years ago

@a-h - I've spent the morning looking at the same issue (site behind basic auth) and have configured the below (which draws the basic auth base64 hash from a github secret).

Building on your posted solution from last year, this is a slightly different tact in that it doesn't require a config file (as the args are all supplied through command options).

It's a little ugly - but in positive news - it does work with the ZAP Github actions out of the box and avoids secrets needing to be stored in files 👍 

uses: zaproxy/action-baseline@v0.6.1
with:
  target: 'https://xyz.com'
  token: ${{ secrets.GH_ACCESS_TOKEN }}
  cmd_options: '-z "-config replacer.full_list(0).description=auth1 -config replacer.full_list(0).enabled=true -config replacer.full_list(0).matchtype=REQ_HEADER -config replacer.full_list(0).matchstr=Authorization -config replacer.full_list(0).regex=false -config replacer.full_list(0).replacement=\"Basic ${{ secrets.<<github-repo-secret-name-for-base64-auth-hash>>}}\"'