0

我通过 Zap 代理我的 UI 测试来自动化安全扫描。对于每次安全扫描运行,都会创建新的 zap 会话并代理请求。

在我们的应用程序中,来自登录 api 响应的访问令牌设置在authentication标头中以进行身份​​验证。当我通过 zap 代理我的测试时,标头也会与请求负载、url 等一起记录并存储在 ZAP 中。

如果

  1. zap 与请求一起记录的令牌在主动扫描期间仍然有效(未过期或未失效)
  2. 标头从 ascan 攻击向量中排除(这是默认设置)

我假设我可以在 api(也需要身份验证)上进行主动扫描工作,而无需在 Context 中设置身份验证、用户、强制用户、会话管理等。

我不确定如何验证这一点!

任何人都可以在下面提供帮助

  1. 我上面关于“记录的标题足以让 ZAP 扫描”的假设在我的场景中是否正确?(只有有效载荷、参数等会被篡改)
  2. 在 Context 中为自动安全扫描设置身份验证、用户、强制用户、会话管理等有什么好处?

先感谢您。

4

1 回答 1

1

Authentication is a pain. A complete pain. There are so many different ways that apps authenticate, and all apps have their own quirks. If the token remains valid then yes, in theory that should be ok. But how you validate this will completely depend on your app. What does it to if the token is invalid? Will it return 403? You can use ZAP stats to work out if it looks like the requests are authenticated, and if ZAP doesnt currently recored the stats you need then you can add them via scripts.

The advantage of setting authentication etc etc is that when set correctly then ZAP should detect if a token is invalidated (which happens all too often when attacking an app) and can then reauthenticate.

Handling authentication is hard (not just in ZAP, but in all security tools). For more help you're probably better off asking on the ZAP user group: https://groups.google.com/group/zaproxy-users

Also have a look at the ZAP in Ten video seried - esp the ADDO Workshop ones where I go into authentication in a lot more detail: https://www.alldaydevops.com/zap-in-ten

于 2020-07-03T08:54:23.803 回答