Conduct DAST using OWASP ZAP with Login Authentication

In a recent post, I talk all about Dynamic Application Security testing. In this blog, we will see how we can conduct Dynamic Application Security Testing (DAST) with login authentication and session management using an open-source DAST tool called OWASP ZAP (Zed Attack Proxy).

First, we will see what OWASP ZAP is.

OWASP ZAP is a fully featured open-source Dynamic Application Security Testing (DAST) tool capable of supporting manual web application penetration testing and automated vulnerability scanning with authentication session management.

Steps to Run DAST using OWASP ZAP with login authentication

Step 1: use manual explorer in ZAP to capture login steps.

Step 2: Create a new context of the root domain

Step 3: Configure Authentication

Step 4: Add the user

Step 5: Configure Session management

Step 6: Spider the Website

Step 7: Run Active Scan

Step 8: Generate Report

Step 1: use manual explorer in ZAP to capture login steps.

Manual explorer is a ZAP feature that launches a browser that allows us to explore the web application while HTTP traffic is proxy through ZAP.

In ZAP Dashboard, click on the large Manual Explore button.
Enter the URL of the web application for that you want to capture the login steps.
Then click the Launch Browser button to launch the browser with the URL.

Once the browse is launched, perform the login steps. For example, I am using OWASP Juice Shop.

Click on the login button to open the login page.

Enter username and password and click login.

Once the login is successful, close the browser.

Here our first step is complete.

Step 2: Create a new context of the root domain

Context is a feature in ZAP that allows us to add the domain in-scope based on regex and also allows us to configure authentication, Session management, Users, technologies, etc.

To create a new context of the root domain,

First, select the root domain from the site's section

Right-click on the selected site.

Now click include in context and then New Context.

It will open the session properties tab where we can change the context name (by default URL that we select) and click ok.

Now the context is created, and our second step is complete.

Step 3: Configure Authentication

Once the context is created, configure the authentication in the context.

To configure the authentication, select the request from the site that performs the authentication

Right-click on the selected request, click Flag as Context and then choose Juice_Shop: JSON-based Auth Login Request (Other Authentication methods can also be configured depending on the application).

Once you click the Session Properties window will open the authentication option where you have to perform some additional configuration like parameters and verification strategy. After configuration, click ok.

Here our third step is complete.

Step 4: Add the user.

In this step, we have to add a user to perform the authentication.

To add the user double, click on context, click the Users option, click add button, and enter the user credentials.

After entering the credentials, click Add and then ok.

Now the user is also added, and step 4 is complete.

Step 5: Configure Session management

In this step, we will configure the Session Management in Context using script-based session management (other methods are also available based on application session management mechanism HTTP-based or Cookie based)

Session management is important to keep the user authenticated during the scan. In the Script-Based Session management method, we have to write a script based on a pre-defined template to manage the authentication session.

To create a Session Management script, click on the plus icon and then click the scripts button.

In the Scripts section right, click on the Session Management Script and click on the new script.

In the new script window, enter the script name, Type Session Management, Script Engine Graal.js, and Template, and then click save

Once the script is saved, double-click on context to open session properties and select the Session Management option.

In the Session Management option, select the session management option as Script-Based Session Management, choose the script that we have created from the script drop-down menu, and click load, then ok.

Here is step 5, complete

Step 6: Spider the Website.

To run the spider, right-click on the context and click Spider.

It will open the spider window where we have to select the user we have added in step 4, then Click Start Scan.

Just so you know, here, step 6 is complete.

Step 7: Run Active Scan.

In this step, we will run the attack to start the scan to identify the vulnerabilities.

To run the Active Scan right, click on the context and click Active Scan.

It will open the Active Scan window in which we have to select the user we have added in step 4, then Click Start Scan.

Here, step 7 is completed.

Step 8: Generate a report.

Once the active scan is complete, we have to generate the report.

Click on generate report button to open the Generate Report Windows.

In the generate report window, enter the report title, report name, Report directory, description, context, and site, and then click on generate report button.

And here, our last step is completed, and the report is generated.

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form