[Owasp-leaders] ZAP Automated authentication detection and configuration

Sherif Mansour sherif.mansour at owasp.org
Thu May 10 23:27:38 UTC 2018

Hey Simon,
Went through the doc, maybe I missed them, but also:

SAML 2.0
Mutual auth (certs)
Webauthn (new passwordless w3c/fido alliance standard).

On Thu, 10 May 2018 at 8:02 am, psiinon <psiinon at gmail.com> wrote:

> Thanks Rogan!
> On Thu, May 10, 2018 at 7:57 AM, Rogan Dawes <rogan at dawes.za.net> wrote:
>> I see there was no mention of Negotiate auth, a.k.a SPNEGO, which can
>> carry NTLM, but also supports Kerberos auth.
>> Also, as a detail, NTLM and Negotiate are CONNECTION based, as opposed to
>> per-request based. Without any insight into the internal architecture of
>> ZAP, you have to be careful about reusing an existing authentication
>> connection for unrelated requests (even if those requests don't have any
>> Authorization headers), as they will automatically be authenticated by
>> virtue of being in an authenticated connection.
>> Some additional details available here:
>> http://www.securiteam.com/securityreviews/5OP0B2KGAC.html
>> Rogan
>> On Wed, May 9, 2018 at 10:35 AM psiinon <psiinon at gmail.com> wrote:
>>> Leaders - please see the email below sent to the ZAP Developers Group.
>>> Kajan is working on making authentication handling better in ZAP for the
>>> Google Summer of Code.
>>> An important aspect of this is coming up with a comprehensive list of
>>> authentication schemes - theres a link to the doc Kajan is working on below.
>>> ZAP is very flexible and can probably handle most if not all of these
>>> schemes, but we know that configuring it to do so is painful and error
>>> prone.
>>> Building this list will help us understand the scope of the problem and
>>> allow Kajan to focus on more generic solutions that support a wide range of
>>> schemes.
>>> So please have a look at the doc and add suggestions for anything you
>>> spot thats missing or incorrect.
>>> We know that getting ZAP to handle authentication can be difficult -
>>> this is your chance to help us make it much less painful :)
>>> One of the reasons we asked Kajan to write this doc is that we couldnt
>>> find a comprehensive list of authentications schemes on the internet.
>>> If we've missed such a list then please let us know. If not then how
>>> would you feel about us migrating the doc to the OWASP wiki once it has had
>>> some more feedback? I think it would be a valuable addition :)
>>> Many thanks,
>>> Simon
>>> ---------- Forwarded message ----------
>>> From: Kajan Mohanagandhirasa <kajan.14 at cse.mrt.ac.lk>
>>> Date: Sun, May 6, 2018 at 7:39 AM
>>> Subject: [zaproxy-develop] Automated authentication detection and
>>> configuration
>>> To: OWASP ZAP Developer Group <zaproxy-develop at googlegroups.com>
>>> Hi, I am Kajan from the University of Moratuwa, Sri Lanka.
>>> It is my pleasure to meet you all again with good news.
>>> I am working on "Automated authentication detection and
>>> configuration"[1]  as my GSoC project.
>>> I will be updating my blog[2] weekly with my progress and other useful
>>> information related to this project.
>>> To automate the task for as many sorts of web apps as possible, I am
>>> maintaining a list of different authentication schemes here[3].
>>> I want your help in prioritizing the most used and important
>>> authentication schemes.
>>> In addition to that, please help me to extend this list by sharing your
>>> knowledge.
>>> Of course, I will not be able to address all schemes within the GSoC
>>> period. But now I am part of a great community and will remain the same
>>> after GSoC. So feel free to suggest even if a small portion of web apps are
>>> using such authentication scheme. I want to build a comprehensive list.
>>> This will not only help me to identify my future works but also to
>>> implement in a way such that other schemes can be easily ported.
>>> I am not an expert in anything. I am willing to hear your thoughts
>>> regarding this project. That will help me a lot.
>>> Thanks in advance :) and happy coding.
>>> [1] https://github.com/zaproxy/zaproxy/issues/4105
>>> [2] https://kajanm.github.io/gsoc.html
>>> [3]
>>> https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit?usp=sharing
>>> Cheers,
>>> Kajan
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "OWASP ZAP Developer Group" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to zaproxy-develop+unsubscribe at googlegroups.com.
>>> To view this discussion on the web, visit
>>> https://groups.google.com/d/msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-ed780625e940%40googlegroups.com
>>> <https://groups.google.com/d/msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-ed780625e940%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Sherif Mansour
OWASP Global Board Member & OWASP London Chapter Leader
Site: https://www.owasp.org/index.php/London
Email: sherif.mansour at owasp.org
Follow OWASP London Chapter on Twitter: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180510/63f4e789/attachment.html>

More information about the OWASP-Leaders mailing list