PAC Custom AUTHENTICATION
The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:
Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website. Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key. Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.
Where we should use custom authentication
For when we have static token or when we have hard flow for getting token, we should use custom authentication. By this flow we're able to set token as jwt token in header , or even set cookie as session token.
Prancer authenticated pentesting
Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.
For setting up authentication, we need to create scanner at first. here are some steps which is required to be setup before authentication configuration:-
- go to 'PAC Wizard' page
- select cloud type
- select collection and connector (scanner will be created in the resources which the selected connector has an access)
- put application information
- select existing or new instance to run the pentest
- define target domain or select from existing resources
In this step you should be able to see authentication page.
So after you select custom authentication type , you should select keyvault (if you're using aws you need to select secret manager) to find token value as secret and passit to the pac file. lets take look to the other fields:
|Authorization place||header,session,body||In this field we're going to configure the place of the custom token. If token needs to be used as cookie, the selected field should be session.|
|AuthorizationKey||ex : Authorization||any header name can be put as Authorization key , this field is related to the name which we should set for authentcation params in header|
|AuthorizationToken||token value||we should select secret name from our keyvault or secret manager to set as token value|
|AuthorizationTokenType||ex: Bearer||This field is prefix which scanner will set befor token value in header. It can be empty sting too|
so finaly we have authentication page like below :
and finally we're able to see our pac yaml file
Collection: test_azure_pac_auto2 ConnectionName: test_azure_pac_auto2_connector CloudType: azure ApplicatioName: test_juice RiskLevel: safe Compliance: - CIS ApplicationType: WebScan Schedule: onetime Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8008 Scanner: Cloud: Platform: Azure: ContainerInstance: AfterRun: delete NewContainerInstance: External: SubscriptionId: a6941677-****-****-****-***** ResourceGp: shahin-test Region: westus ContainerGroupName: prancer-scanner-group ContainerName: prancer-pentest-instance ResourceName: prancer-instances AuthenticationMethod: customAuthentication Authentication: CustomAuth: AuthorizationType: header AuthorizationKey: Authorization AuthorizationTokenType: Bearer AuthorizationTokenValue: TokenJuice2 Vault: Azure: KeyVaultName: sampleKeyVault SubscriptionID: a6941677-****-****-****-***** Region: westus ResourceGp: sample-test # All the addons ID listed on link https://www.zaproxy.org/addons. AddOns: # - accessControl # - ascanrulesAlpha