PAC Custom AUTHENTICATION


Authentication

The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:

Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website. Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key. Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.

Where we should use custom authentication

For when we have static token or when we have hard flow for getting token, we should use custom authentication. By this flow we're able to set token as jwt token in header , or even set cookie as session token.

Prancer authenticated pentesting

Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.

For setting up authentication, we need to create scanner at first. here are some steps which is required to be setup before authentication configuration:-

  • go to 'PAC Wizard' page
  • select cloud type
  • select collection and connector (scanner will be created in the resources which the selected connector has an access)
  • put application information
  • select existing or new instance to run the pentest
  • define target domain or select from existing resources

In this step you should be able to see authentication page. ../img/pac/authentications/custom/Auth_screen.png

So after you select custom authentication type , you should select keyvault (if you're using aws you need to select secret manager) to find token value as secret and passit to the pac file. lets take look to the other fields:

Field Sample values Description
Authorization place header,session,body In this field we're going to configure the place of the custom token. If token needs to be used as cookie, the selected field should be session.
AuthorizationKey ex : Authorization any header name can be put as Authorization key , this field is related to the name which we should set for authentcation params in header
AuthorizationToken token value we should select secret name from our keyvault or secret manager to set as token value
AuthorizationTokenType ex: Bearer This field is prefix which scanner will set befor token value in header. It can be empty sting too

so finaly we have authentication page like below : ../img/pac/authentications/custom/Auth_custom.png

and finally we're able to see our pac yaml file

Collection: test_azure_pac_auto2
ConnectionName: test_azure_pac_auto2_connector
CloudType: azure
ApplicatioName: test_juice
RiskLevel: safe
Compliance:
- CIS
ApplicationType: WebScan
Schedule: onetime
Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8008
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId:  a6941677-****-****-****-*****
              ResourceGp: shahin-test
              Region: westus
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances
AuthenticationMethod: customAuthentication
Authentication:
  CustomAuth:
    AuthorizationType: header
    AuthorizationKey: Authorization
    AuthorizationTokenType: Bearer
    AuthorizationTokenValue: TokenJuice2
  Vault:
    Azure:
      KeyVaultName: sampleKeyVault
      SubscriptionID: a6941677-****-****-****-*****
      Region: westus
      ResourceGp: sample-test
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha