[Owasp-leaders] ZAP Automated authentication detection and configuration

Brett Gravois brett.gravois at owasp.org
Fri May 11 00:53:22 UTC 2018


The ability to add the soo redirects and a macro recording for logins like
NTO/Appspider has would be nice to have.

On Thu, May 10, 2018, 4:28 PM Sherif Mansour <sherif.mansour at owasp.org>
wrote:

> Hey Simon,
> Went through the doc, maybe I missed them, but also:
>
> SAML 2.0
> Mutual auth (certs)
> Webauthn (new passwordless w3c/fido alliance standard).
>
> On Thu, 10 May 2018 at 8:02 am, psiinon <psiinon at gmail.com> wrote:
>
>> Thanks Rogan!
>>
>> On Thu, May 10, 2018 at 7:57 AM, Rogan Dawes <rogan at dawes.za.net> wrote:
>>
>>> I see there was no mention of Negotiate auth, a.k.a SPNEGO, which can
>>> carry NTLM, but also supports Kerberos auth.
>>>
>>> Also, as a detail, NTLM and Negotiate are CONNECTION based, as opposed
>>> to per-request based. Without any insight into the internal architecture of
>>> ZAP, you have to be careful about reusing an existing authentication
>>> connection for unrelated requests (even if those requests don't have any
>>> Authorization headers), as they will automatically be authenticated by
>>> virtue of being in an authenticated connection.
>>>
>>> Some additional details available here:
>>> http://www.securiteam.com/securityreviews/5OP0B2KGAC.html
>>>
>>> Rogan
>>>
>>>
>>> On Wed, May 9, 2018 at 10:35 AM psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Leaders - please see the email below sent to the ZAP Developers Group.
>>>>
>>>> Kajan is working on making authentication handling better in ZAP for
>>>> the Google Summer of Code.
>>>> An important aspect of this is coming up with a comprehensive list of
>>>> authentication schemes - theres a link to the doc Kajan is working on below.
>>>> ZAP is very flexible and can probably handle most if not all of these
>>>> schemes, but we know that configuring it to do so is painful and error
>>>> prone.
>>>> Building this list will help us understand the scope of the problem and
>>>> allow Kajan to focus on more generic solutions that support a wide range of
>>>> schemes.
>>>> So please have a look at the doc and add suggestions for anything you
>>>> spot thats missing or incorrect.
>>>>
>>>> We know that getting ZAP to handle authentication can be difficult -
>>>> this is your chance to help us make it much less painful :)
>>>>
>>>> One of the reasons we asked Kajan to write this doc is that we couldnt
>>>> find a comprehensive list of authentications schemes on the internet.
>>>> If we've missed such a list then please let us know. If not then how
>>>> would you feel about us migrating the doc to the OWASP wiki once it has had
>>>> some more feedback? I think it would be a valuable addition :)
>>>>
>>>> Many thanks,
>>>>
>>>> Simon
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Kajan Mohanagandhirasa <kajan.14 at cse.mrt.ac.lk>
>>>> Date: Sun, May 6, 2018 at 7:39 AM
>>>> Subject: [zaproxy-develop] Automated authentication detection and
>>>> configuration
>>>> To: OWASP ZAP Developer Group <zaproxy-develop at googlegroups.com>
>>>>
>>>>
>>>> Hi, I am Kajan from the University of Moratuwa, Sri Lanka.
>>>> It is my pleasure to meet you all again with good news.
>>>> I am working on "Automated authentication detection and
>>>> configuration"[1]  as my GSoC project.
>>>> I will be updating my blog[2] weekly with my progress and other useful
>>>> information related to this project.
>>>> To automate the task for as many sorts of web apps as possible, I am
>>>> maintaining a list of different authentication schemes here[3].
>>>> I want your help in prioritizing the most used and important
>>>> authentication schemes.
>>>> In addition to that, please help me to extend this list by sharing your
>>>> knowledge.
>>>> Of course, I will not be able to address all schemes within the GSoC
>>>> period. But now I am part of a great community and will remain the same
>>>> after GSoC. So feel free to suggest even if a small portion of web apps are
>>>> using such authentication scheme. I want to build a comprehensive list.
>>>> This will not only help me to identify my future works but also to
>>>> implement in a way such that other schemes can be easily ported.
>>>> I am not an expert in anything. I am willing to hear your thoughts
>>>> regarding this project. That will help me a lot.
>>>>
>>>> Thanks in advance :) and happy coding.
>>>>
>>>> [1] https://github.com/zaproxy/zaproxy/issues/4105
>>>> [2] https://kajanm.github.io/gsoc.html
>>>> [3]
>>>> https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit?usp=sharing
>>>>
>>>> Cheers,
>>>> Kajan
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "OWASP ZAP Developer Group" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to zaproxy-develop+unsubscribe at googlegroups.com.
>>>> To view this discussion on the web, visit
>>>> https://groups.google.com/d/msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-ed780625e940%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/zaproxy-develop/fd2397e7-6832-44ea-aee9-ed780625e940%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> --
>
> Sherif Mansour
> OWASP Global Board Member & OWASP London Chapter Leader
> Site: https://www.owasp.org/index.php/London
> Email: sherif.mansour at owasp.org
> Follow OWASP London Chapter on Twitter: @owasplondon  <https://twitter.com/OWASPLondon>
> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
> Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180510/d5c4c479/attachment-0001.html>


More information about the OWASP-Leaders mailing list