PAC Custom AUTHENTICATION
Authentication
The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:
Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website. Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key. Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.
Where we should use custom authentication
For when we have static token or when we have hard flow for getting token, we should use custom authentication. By this flow we're able to set token as jwt token in header , or even set cookie as session token.
Prancer authenticated pentesting
Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.
For setting up authentication, we need to create scanner at first. here are some steps which is required to be setup before authentication configuration:-
- go to 'PAC Wizard' page
- select cloud type
- select collection and connector (scanner will be created in the resources which the selected connector has an access)
- put application information
- select existing or new instance to run the pentest
- define target domain or select from existing resources
In this step you should be able to see authentication page.
So after you select custom authentication type , you should select keyvault (if you're using aws you need to select secret manager) to find token value as secret and passit to the pac file. lets take look to the other fields:
| Field | Sample values | Description |
|---|---|---|
| Authorization place | header,session,body | In this field we're going to configure the place of the custom token. If token needs to be used as cookie, the selected field should be session. |
| AuthorizationKey | ex : Authorization | any header name can be put as Authorization key , this field is related to the name which we should set for authentcation params in header |
| AuthorizationToken | token value | we should select secret name from our keyvault or secret manager to set as token value |
| AuthorizationTokenType | ex: Bearer | This field is prefix which scanner will set befor token value in header. It can be empty sting too |
so finaly we have authentication page like below :
and finally we're able to see our pac yaml file
Collection: test_azure_pac_auto2
ConnectionName: test_azure_pac_auto2_connector
CloudType: azure
ApplicatioName: test_juice
RiskLevel: safe
Compliance:
- CIS
ApplicationType: WebScan
Schedule: onetime
Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8008
Scanner:
Cloud:
Platform:
Azure:
ContainerInstance:
AfterRun: delete
NewContainerInstance:
External:
SubscriptionId: a6941677-****-****-****-*****
ResourceGp: shahin-test
Region: westus
ContainerGroupName: prancer-scanner-group
ContainerName: prancer-pentest-instance
ResourceName: prancer-instances
AuthenticationMethod: customAuthentication
Authentication:
CustomAuth:
AuthorizationType: header
AuthorizationKey: Authorization
AuthorizationTokenType: Bearer
AuthorizationTokenValue: TokenJuice2
Vault:
Azure:
KeyVaultName: sampleKeyVault
SubscriptionID: a6941677-****-****-****-*****
Region: westus
ResourceGp: sample-test
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
# - accessControl
# - ascanrulesAlpha