3

My requirement is do the "Authenticated Scan" by using the TFS DevOps pipeline, for this I added the "OWASP Zed Attack Proxy Scan" extension under TFS and added the tasks in pipeline. also I installed the OWASP desktop app (2.11.1), pipeline working fine with 'Unauthenticated mode' on the website, but I need to do the 'authenticated scan so that tool can identity the bugs/vulnerabilities after the login pages as well, how this can be done? enter image description here

Jonas
  • 121,568
  • 97
  • 310
  • 388
Saad Awan
  • 566
  • 2
  • 9
  • 23

1 Answers1

2

First of all, you dont need to use the ZAP desktop app - ZAP can be run in a variety of ways that are more suited to automation - see https://www.zaproxy.org/docs/automate/

Secondly, authentication can be a real pain - there are so many ways that applications handle it :( Have a look at the official ZAP videos on https://www.zaproxy.org/videos-list/ - you can search for "Auth" in the tags to narrow those down to the most relevant ones.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • I have gone throw the links but didn't found any specific link which describe how to do TFS ZAP Authenticated mode – Saad Awan Oct 07 '21 at 13:02
  • Thats because we dont have anything specific for TFS :) If you can explain exactly how TFS authentication works then we can help you configure ZAP to handle it... – Simon Bennetts Oct 07 '21 at 13:44
  • oky, I need nothing from TFS, I just need the 'Context Name' in 'OWASP Zed Attack Proxy Scan' which is extension of OWASP Zed available in TFS, My problem is how to do the authenticated scanning under OWASP Zed – Saad Awan Oct 12 '21 at 12:20
  • ZAP should be able to handle any authentication, but its too complicated to explain in such a small space. See the videos I mentioned above or ask questions on the ZAP User Group: https://groups.google.com/group/zaproxy-users – Simon Bennetts Oct 12 '21 at 13:56
  • as per group user discussion: I now do this by using Docker CLI from the following link 'https://dzone.com/articles/owasp-zap-security-tests-in-azure-devops-pipeline' but again might not able to scan through authenticated way as I didn't give any website username/passwords on the script. – Saad Awan May 24 '22 at 11:59
  • Well, if you dont supply any credentials then ZAP wont be able to authenticate for you :) – Simon Bennetts May 24 '22 at 12:18
  • Exactly you rite, this is what i am asking from where and how I can give credentials means in script 'chmod -R 777 ./ docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://abcdomain.com -g gen.conf -x OWASP-ZAP-Report.xml -r scan-report.html true' – Saad Awan May 25 '22 at 05:53
  • See https://www.zaproxy.org/docs/authentication/ :) If you have more detailed questions the ZAP User Group linked to above is your best option. – Simon Bennetts May 25 '22 at 11:27