GSoC @ OWASP with

"Winners don't wait for chances, they take them"

Title : Authentication helper add-on for ZAP (see in )
Organization : OWASP Foundation
Mentors : Simon Bennetts, Ricardo Pereira, Rick Mitchell

Please visit zaproxy-wiki for updated contents

About the project (what, why, how)

Zaproxy(ZAP) allows the penetration tester to set up authentication for the web application being tested. This allows ZAP to run tests from the point of an authenticated user. This is an excellent feature as with the ability of session management and automatic (re)authentication ZAP can check for vulnerabilities that are hidden in authorized resources. This is also a good feature to test broken authentication and session management. However, as of now setting up authentication in ZAP is a multi-step process[1]. It is time-consuming and error-prone. This project targets to resolve this problem by adding three new features to ZAP.

  1. Automated configuration
  2. Guided configuration
  3. Authentication status scanning
Automated configuration

It is possible to automatically detect and configure an appropriate authentication method for the web application being tested. For HTTP based authentication schemes ZAP only needs to rely on the user to get correct credentials. For non-HTTP based authentication schemes, ZAP needs to rely on the user to get logged in or logged out indicator as well. Other steps can be automated.

Guided configuration

As described earlier, configuring authentication in ZAP is a multi-step process and they need to be performed in an order. This feature targets to guide the user towards setting up authentication correctly. With the automated configuration in hand, the pen tester may not know the current configuration status. This feature will tell that and will guide the user on his next step.

Authentication status scanning

Configuring everything does not necessarily mean ZAP is able to authenticate with the web application successfully. Provided credentials may be wrong, or provided logged in or logged out indicator may lead to false positives (actually not authenticated but ZAP thinks authenticated). Hence, this feature targets to allow the user to check the authentication status with current configuration.

A word of thanks <3

I would like to express my gratitude to Google, my mentors, family, lecturers, friends and to all those who made it possible. Thank you very much :)

We received a lot of feedbacks and suggestions on the list of web app authentication schemes via emails and ZAP dev group. The doc is updated based on your comments and thank you all for sharing your knowledge.

This project is a great success. One main thing for the success is ZAP's architecture. ZAP is built in a manner such that it is easy to extend. Thank you to the community for all your hard works.

Before reading further..

This page is InProgress and will continuously evolve throughout the google summer of code 2018 program. Read further if you would like to know more about the project and what I have done so far.

Please visit zaproxy-wiki for updated contents

Project tracker

Rest of this page showcases the activities that I performed during the summer of code period in a timeline perspective. I am targeting this page mainly for future GSoC-X (X > 2018) students. If you are going to apply for GSoC or just got accepted, I welcome you to learn from my experience and give back a better experience to the community.

GSoC with OWASP Foundation

Please visit zaproxy-wiki for updated contents


Organizations Announced

Until 12th of February, I haven't heard of OWASP. All I knew was, okay; I am doing GSoC this year. I was going through the list of accepted mentoring organizations for GSoC-2018 one by one. At that point, I intend to pick an exciting Java project. That's all, no unique preferences. Some organizations my eye. I spent more time looking at their ideas. I made a note of such organizations, ideas and kept traversing through the list. When I hit OWASP, my traversal entered a break statement. In fact, my quest to find a suitable GSoC project ended. A new pursuit to become a Computer Security Professional began.

After finalizing the organization, I ,

12 February

Submitted Proposal

The more I learn, the more I found to learn. I took quite a long time to construct an implementation plan for the IdealFirstBug . That was discouraging and questioned me if I am the suitable person to apply.

I was confident enough that

  • I satisfy the project requirement
  • I have a strong desire to do the project
  • I have put a good effort on it

This confidence pushed me to go forward, and I submitted the proposal.

After submitting the proposal, I started familiarizing with the development environment and related technologies.

27 March

Community Bonding

Hooray! I got selected Let me first thank my mentors for their great support. Within this bonding period the student is expected to familiarize with the community practices and processes, work on project related issues and work with the mentors and other organization members on refining the project plan and of course go through the documentation.

I had a kick off meeting on 26th April with my mentors. The meeting spanned for 45 minutes. We discussed the goals of this community bonding period, the importance of this project and what the community is expecting from the successful completion of the project in general. Following is the summary of the works done during the community bonding period.

  • Went through, development rules and guidelines, add-on development wiki pages
  • Start a blog for GSoC project
  • Introduce in the ZAP Dev Group
  • Setting up the development environment
  • Start building up a list of different authentication mechanisms
  • Start building up a list of examples
  • Add support for dynamic fields in Form-based authentication method #2182
  • Work on detailed plan for the project
23 April

Coding Phase-1

  • PR: add support for dynamic fields in Form-based authentication method (#4682)
  • Spring security requirement study
  • create testing applications
  • go through authentication related issues, posts in ZAP user, developer group
  • PR: refresh cookie before each login request (#4696)
  • PR: help contents for automatic acsrf token submission support in form-based authentication (#193)
  • document setting up vulnerable apps for authentication
  • go through existing code (as suggested in this comment) to get started with authentication status scanning setting up vulnerable apps for authentication
  • brainstorm UI for AuthenticationHelperDialog
  • complete first evaluation
11 June

Coding Phase-2

  • Work on detailed plan for the project
  • create ExtensionAuthenticationHelper
  • create AuthenticaitonHelperDialog UI from which the pen tester can select Target, Context, User and start authentication status scanning.
  • crete AuthenticationConfigurationChecklistPanel to indicate status of required configurations
  • create PopupMenuItemCheckAuthentication that allows the pen tester to initiate the AuthenticationHelperDialog by right clicking a SiteNode and selecting Check authentication option.
  • create AuthenticationStatusTableModel, AuthenticationStatusTable and AuthenticationStatusTableEntry classes to show necessary data to the pen tester
  • create AuthenticationStatusPanel UI in which the authentication status scan result will be updated and the pen tester can start, stop, pause, resume, and analyze the HttpMessage
  • requirement study: concurrency in Java
  • create AuthenticationStatusScanController to control multiple authentication status scans
  • create AuthenticationStatusScanner that matches each HttpMessage's Header, Body with provided logged in indicator or(and) logged out indicator and determine authentication status from it
  • complete second evaluation
14 May

Coding Phase-3

  • add links to relevant Session properties dialog for each checklist item in AuthenticationConfigurationChecklistPanel
  • remove redundant ToolTips in AuthenticationConfigurationChecklistPanel
  • add refresh button in AuthenticationConfigurationChecklistPanel to rerun the checks with updated settings
  • internationalized the Strings that are shown in UI
  • add a hint panel with settings button in AuthenticationConfigurationChecklistPanel that tells the next best step and leads to the relevant properties dialog when the button is clicked
  • fix alignment problem in AuthenticationHelperDialog using reflection
  • add AuthenticationHelperOptionsPanel that allows the pen tester to add regexes which are excluded from authentication status scanning
  • automatic configuration for HTTP basic scheme
  • PR: necessary core changes for the add-on (#4898)
  • auto configuration logic for HTTP digest, NTLM
  • bug fix: in determining authentication status
  • write test cases for determining authentication statusli>
  • auto configuration logic for post based authentication schemes
  • auto configuration when spidering
14 May

I hope you get something useful from my experience. Let's meet again in a better post, until then, happy coding :)