How to add custom authentication script? #1767

dhavalsimaria · 2023-06-16T07:48:07Z

dhavalsimaria
Jun 16, 2023

The configMaps of zap scan contain scripts that are readily available at location:
/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js

But I am not able to figure out how to add a custom authentication script that will be used to authenticate against API for ZAP-API-scan.

Grateful for any help here.

J12934 · 2023-06-16T09:48:59Z

J12934
Jun 16, 2023
Maintainer

Hi 👋

You'll need to mount the scripts as a file like we are mounting the scan config into the ZAP Advanced container.

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-example"
spec:
  scanType: "zap-advanced-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://juice-shop.default.svc:3000/"
  volumeMounts:
    - name: zap-auth-scripts
      mountPath: /home/zap/.ZAP_D/scripts/scripts/authentication/auth-script.js
      subPath: auth-script.js
      readOnly: true
    - name: zap-advanced-scan-config
      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml
      subPath: 2-zap-advanced-scan.yaml
      readOnly: true
  volumes:
    - name: zap-auth-scripts
      configMap:
        name: zap-auth-scripts
    - name: zap-advanced-scan-config
      configMap:
        name: zap-advanced-scan-config
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: zap-auth-scripts
data:
  auth-script.js: |
    // your js auth script

1 reply

dhavalsimaria Jul 5, 2023
Author

@J12934
Do we also need to add an authentication section under contexts in the scan configuration?

Ref. ZAP configuration

authentication:
        # -- Currently supports "basic-auth", "form-based", "json-based", "script-based"
         type: "script-based"
         # -- Optional, only mandatory if zapConfiguration.contexts[0].authentication.type: "script-based". More ZAP details about 'script based' authentication can be found here: https://www.zaproxy.org/docs/api/#script-based-authentication.
         script-based:
           # -- The name of the authentication script
           name: scb-oidc-password-grand-type.js
           # -- Enables the script if true, otherwise false
           enabled: true
           # -- The type of script engine used. Possible values are: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts
           engine: "Graal.js"
           # -- Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)
           filePath: "/home/zap/.ZAP_D/scripts/scripts/authentication/scb-oidc-password-grand-type.js"
           # -- A short description for the script.
           description: "This is a description for the SCB OIDC Script."

I have mounted the custom authentication script using volume mount as suggested by you.
When I try to add custom script details in contexts section using above `authentication section, I get the following error:

2023-07-06 05:17 ZapClient    INFO    : Loading new Script 'zap-api-authentication.js' at '/home/zap/.ZAP_D/scripts/scripts/authentication/zap-api-authentication.js' with type: 'authentication' and engine 'Graal.js'
2023-07-06 05:17 ZapClient    ERROR   : The script couldn't be loaded due to errors!
2023-07-06 05:17 zapclient    ERROR   : Unexpected error: The script couldn't be loaded due to errors!
Traceback (most recent call last):
  File "/zap-client/zapclient/__main__.py", line 67, in process
    zap_automation.scan_target(target=args.target)
  File "/zap-client/zapclient/zap_automation.py", line 89, in scan_target
    zap_context.configure_contexts()
  File "/zap-client/zapclient/context/zap_context.py", line 73, in configure_contexts
    self._configure_context(context)
  File "/zap-client/zapclient/context/zap_context.py", line 107, in _configure_context
    configure_authenication.configure_context_authentication(
  File "/zap-client/zapclient/context/zap_context_authentication.py", line 60, in configure_context_authentication
    self._configure_context_authentication_script(
  File "/zap-client/zapclient/context/zap_context_authentication.py", line 98, in _configure_context_authentication_script
    self._configure_load_script(
  File "/zap-client/zapclient/zap_abstract_client.py", line 147, in _configure_load_script
    self.check_zap_result(
  File "/zap-client/zapclient/zap_abstract_client.py", line 75, in check_zap_result
    raise Exception(exception_message)
Exception: The script couldn't be loaded due to errors!

Abhinandan-Khurana · 2024-04-17T13:39:51Z

Abhinandan-Khurana
Apr 17, 2024

@J12934
I am also facing somewhat similar issue, I believe I've mounted the auth script successfully, however I am getting the below error (from pod logs) -

2024-04-17 11:33 ZapConfigureSpiderHttp INFO    : HTTP Spider(0) completed
2024-04-17 11:33 zapclient    ERROR   : Unexpected error: 'ZapConfigureSpiderHttp' object has no attribute 'failIfFoundUrlsLessThan'
Traceback (most recent call last):
  File "/zap-client/zapclient/__main__.py", line 67, in process
    zap_automation.scan_target(target=args.target)
  File "/zap-client/zapclient/zap_automation.py", line 94, in scan_target
    self.__start_spider(target)
  File "/zap-client/zapclient/zap_automation.py", line 141, in __start_spider
    zap_spider.start_spider_by_url(target)
  File "/zap-client/zapclient/spider/zap_abstract_spider.py", line 103, in start_spider_by_url
    self.start_spider(url=url, spider_config=self.get_spider_config)
  File "/zap-client/zapclient/spider/zap_spider_http.py", line 159, in start_spider
    self.wait_until_spider_finished()
  File "/zap-client/zapclient/spider/zap_abstract_spider.py", line 180, in wait_until_spider_finished
    self.print_spider_summary()
  File "/zap-client/zapclient/spider/zap_spider_http.py", line 332, in print_spider_summary
    elif num_urls < self.failIfFoundUrlsLessThan:
AttributeError: 'ZapConfigureSpiderHttp' object has no attribute 'failIfFoundUrlsLessThan'
2024-04-17 11:33 ZapClient    INFO    : :: Show all Statistics
2024-04-17 11:33 ZapClient    INFO    : [{'https://stage.example.com': [{'stats.code.404': 4, 'stats.contentType.text/html': 4, 'stats.responseTime.128': 2, 'stats.responseTime.64': 2}]}]
2024-04-17 11:33 ZapClient    INFO    : :: Shutting down the running ZAP Instance.

As @dhavalsimaria I didn't face this error - Unexpected error: The script couldn't be loaded due to errors!

I recon that maybe the current ZAP version used in secureCodeBox is below version 2.9.0 to which failIfFoundUrlsLessThan attribute was added.

2 replies

J12934 Apr 17, 2024
Maintainer

secureCodeBox is using the latest ZAP 2.14.0 since secureCodeBox v4.2.0: 5b96405

Your error @Abhinandan-Khurana looks different as it's not related to script but seems to be zap-advanced complaining about a missing configuration property. Hard to say with just the stack trace. Please also note that we are working on depracating all ZAP scantypes other than the ZAP automation framework as this is now the officially recommended way to automate zap. See: #2387

Abhinandan-Khurana Apr 17, 2024

Ohh, Alright 👍

hamza86 · 2024-06-13T10:05:55Z

hamza86
Jun 13, 2024

Hi all,
I faced the same issue but managed to solve it by reverse engineering zap-advanced helm chart.

The examples in the zap-advanced documentation explain how to configure zap-advanced, but they forgot to detail how the Helm chart is set up for zap-advanced. Specifically, there are three containers: zap-parser, zap-advanced, and zap-stable in the zap-advanced Helm chart. All these containers share the scanner.extraVolumes configuration. All examples refer to how to configure the zap-advanced container, which is responsible for converting the provided configuration YAML and calling zap-stable.

If you mount a config map with your js script for the zap-advanced container, zap-stable when it receives the request with the name, filepath, etc., will look for the file path in the zap-stable container, which is not mounted.

Solution:
override the helm file and use the section scanner.extravolumes to mount your configmap or your volume etc.. Then mount the volume to zap stable.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to add custom authentication script? #1767

{{title}}

Replies: 3 comments 3 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How to add custom authentication script? #1767

dhavalsimaria Jun 16, 2023

Replies: 3 comments · 3 replies

J12934 Jun 16, 2023 Maintainer

dhavalsimaria Jul 5, 2023 Author

Abhinandan-Khurana Apr 17, 2024

J12934 Apr 17, 2024 Maintainer

Abhinandan-Khurana Apr 17, 2024

hamza86 Jun 13, 2024

dhavalsimaria
Jun 16, 2023

Replies: 3 comments 3 replies

J12934
Jun 16, 2023
Maintainer

dhavalsimaria Jul 5, 2023
Author

Abhinandan-Khurana
Apr 17, 2024

J12934 Apr 17, 2024
Maintainer

hamza86
Jun 13, 2024