PAC Custom AUTHENTICATION


Authentication

The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:

  • Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website.
  • Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key.
  • Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.

Where we should use custom authentication

For when we have static token or when we have hard flow for getting token, we should use custom authentication. By this flow we're able to set token as jwt token in header , or even set cookie as session token or some cases where both values viz header and cookie are needed to complete a request.

Prancer authenticated pentesting

Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.

For setting up authentication, we need to create scanner at first. here are some steps which is required to be setup before authentication configuration:-

  • go to 'PAC Wizard' page
  • select cloud type
  • select collection and connector (scanner will be created in the resources which the selected connector has an access)
  • put application information
  • select existing or new instance to run the pentest
  • define target domain or select from existing resources

In this step you should be able to see authentication page. ../img/pac/authentications/custom/Auth_screen.png

So after you select custom authentication type , you should select keyvault (if you're using aws you need to select secret manager) to find token value as secret and passit to the pac file. lets take look to the other fields:

Field Sample values Description
Logout URL ex: https://juiceshop.com/logout This field configures the Logout URL. This URL will not be hit as there is a possibility of invalidating the tokens
Authorization Type header,cookie,both In this field we're going to configure the place of the custom token. The configuration needs to be used as a header, cookie or both and accordingly the fields to be populated
AuthorizationKey ex : Authorization any header name can be put as Authorization key , this field is related to the name which we should set for authentcation params in header
AuthorizationTokenType ex: Bearer This field is prefix which scanner will set befor token value in header. It can be empty sting too
AuthorizationToken token value we should select secret name from our keyvault or secret manager to set as token value
Cookie Key ex: Cookie The key that cookie will be sent as most likely will be "Cookie"
Cookie value Cookie Value The cookie value that holds the uathentication value
Session Name Ex: Session This is optional, may be added if any additional field needs to be passed in the requests
Session Value Session Value This is value for the session name to be passed in the request
Extra Fields Extra fields This value can contain as KEY1=VALUE1;KEY2:VALUE2 combinations that will be appended to the cookie. If present shall be added, otherwise optional

so finaly we have authentication page like below : ../img/pac/authentications/custom/Auth_custom.png

and finally we're able to see our pac yaml file

Collection: test_azure_pac_auto2
ConnectionName: test_azure_pac_auto2_connector
CloudType: azure
ApplicatioName: test_juice
RiskLevel: safe
Compliance:
- CIS
ApplicationType: WebScan
Schedule: onetime
Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8008
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId:  a6941677-****-****-****-*****
              ResourceGp: shahin-test
              Region: westus
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances
AuthenticationMethod: customAuthentication
Authentication:
  CustomAuth:
    AuthorizationType: header
    AuthorizationKey: Authorization
    AuthorizationTokenType: Bearer
    AuthorizationTokenValue: ACCTokenRSD
    CookieKey: ""
    CookieValue: ""
    SessionName: ""
    SessionValue: ""
    ExtraFields: ""
    LogoutUrl: https://juiceshop.com/logout
  Vault:
    Azure:
      KeyVaultName: sampleKeyVault
      SubscriptionID: a6941677-****-****-****-*****
      Region: westus
      ResourceGp: sample-test
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha