[Owasp-leaders] ZAP Automated authentication detection and configuration

psiinon psiinon at gmail.com
Thu May 10 07:01:51 UTC 2018


Thanks Rogan!

On Thu, May 10, 2018 at 7:57 AM, Rogan Dawes <rogan at dawes.za.net> wrote:

> I see there was no mention of Negotiate auth, a.k.a SPNEGO, which can
> carry NTLM, but also supports Kerberos auth.
>
> Also, as a detail, NTLM and Negotiate are CONNECTION based, as opposed to
> per-request based. Without any insight into the internal architecture of
> ZAP, you have to be careful about reusing an existing authentication
> connection for unrelated requests (even if those requests don't have any
> Authorization headers), as they will automatically be authenticated by
> virtue of being in an authenticated connection.
>
> Some additional details available here: http://www.securiteam.
> com/securityreviews/5OP0B2KGAC.html
>
> Rogan
>
>
> On Wed, May 9, 2018 at 10:35 AM psiinon <psiinon at gmail.com> wrote:
>
>> Leaders - please see the email below sent to the ZAP Developers Group.
>>
>> Kajan is working on making authentication handling better in ZAP for the
>> Google Summer of Code.
>> An important aspect of this is coming up with a comprehensive list of
>> authentication schemes - theres a link to the doc Kajan is working on below.
>> ZAP is very flexible and can probably handle most if not all of these
>> schemes, but we know that configuring it to do so is painful and error
>> prone.
>> Building this list will help us understand the scope of the problem and
>> allow Kajan to focus on more generic solutions that support a wide range of
>> schemes.
>> So please have a look at the doc and add suggestions for anything you
>> spot thats missing or incorrect.
>>
>> We know that getting ZAP to handle authentication can be difficult - this
>> is your chance to help us make it much less painful :)
>>
>> One of the reasons we asked Kajan to write this doc is that we couldnt
>> find a comprehensive list of authentications schemes on the internet.
>> If we've missed such a list then please let us know. If not then how
>> would you feel about us migrating the doc to the OWASP wiki once it has had
>> some more feedback? I think it would be a valuable addition :)
>>
>> Many thanks,
>>
>> Simon
>>
>> ---------- Forwarded message ----------
>> From: Kajan Mohanagandhirasa <kajan.14 at cse.mrt.ac.lk>
>> Date: Sun, May 6, 2018 at 7:39 AM
>> Subject: [zaproxy-develop] Automated authentication detection and
>> configuration
>> To: OWASP ZAP Developer Group <zaproxy-develop at googlegroups.com>
>>
>>
>> Hi, I am Kajan from the University of Moratuwa, Sri Lanka.
>> It is my pleasure to meet you all again with good news.
>> I am working on "Automated authentication detection and
>> configuration"[1]  as my GSoC project.
>> I will be updating my blog[2] weekly with my progress and other useful
>> information related to this project.
>> To automate the task for as many sorts of web apps as possible, I am
>> maintaining a list of different authentication schemes here[3].
>> I want your help in prioritizing the most used and important
>> authentication schemes.
>> In addition to that, please help me to extend this list by sharing your
>> knowledge.
>> Of course, I will not be able to address all schemes within the GSoC
>> period. But now I am part of a great community and will remain the same
>> after GSoC. So feel free to suggest even if a small portion of web apps are
>> using such authentication scheme. I want to build a comprehensive list.
>> This will not only help me to identify my future works but also to
>> implement in a way such that other schemes can be easily ported.
>> I am not an expert in anything. I am willing to hear your thoughts
>> regarding this project. That will help me a lot.
>>
>> Thanks in advance :) and happy coding.
>>
>> [1] https://github.com/zaproxy/zaproxy/issues/4105
>> [2] https://kajanm.github.io/gsoc.html
>> [3] https://docs.google.com/document/d/1LSg8CMb4LI5yP-
>> 8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit?usp=sharing
>>
>> Cheers,
>> Kajan
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "OWASP ZAP Developer Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to zaproxy-develop+unsubscribe at googlegroups.com.
>> To view this discussion on the web, visit https://groups.google.com/d/
>> msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-
>> ed780625e940%40googlegroups.com
>> <https://groups.google.com/d/msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-ed780625e940%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180510/0473ba02/attachment-0001.html>


More information about the OWASP-Leaders mailing list