PAC OAuth AUTHENTICATION


Overview

This page discusses the use of OAuth authentication for secure pentesting using the Prancer tool. The Web Authentication API is highlighted as a more secure alternative to passwords and SMS texts, as it uses public-key authentication. Prancer supports various authentication methods, including OAuth, and requires authentication to scan all paths in an application. The article provides a step-by-step guide on setting up authentication using the PAC wizard, including selecting the cloud type, collection, and connector, defining the target domain, and configuring the authentication fields such as the Key Vault, login URL, login body template, and client ID. The article also provides a YAML code snippet for the PAC file that includes the OAuth authentication configuration.

Authentication

The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:

  • Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website.
  • Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key.
  • Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.

Prancer authenticated pentesting

Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.

Note: Oauth flows that require callback cannot be automated using the below explained flow. The callback flows for Oauth have to be manually logged in by the user and provide needed header, cookie or both as part of Custom Authentication. The oauth flow of client secret and credential support is explained below.

For setting up authentication we need to create scanner at first. here are some steps which is required to be setup before auth configuration.

  • go to pac wizard page
  • select cloud type
  • select collection and connector (scanner will be created in the resources which the selected connector has an access)
  • put application information
  • select existing or new instance to run the pentest
  • define target domain or select from existing resources

In this step you should be able to see authentication page. ../img/pac/authentications/oauth/auth_screen.png

So after you select OAuth authentication type, you should select keyvault (if you're using aws ot gcp you need to select secret manager) to find token value as secret and pass it to the pac file. lets take look to the other fields:

Field Sample values Description
Key Vault every key vault which connects has access to it we're going to choose key Vault for selecting secrets like user name and password or etc.
Login URL ex: https://sample.com/login In this field should put complete url for login, by this field scanner will be able to find where should login request send to.
Logout URL ex: https://sample.com/logout In this field you should put logout url, this field will be exclude from URLs to prevent logging out the scanner user
Login body template ex: {"username":"%username%","password":"%password%"} This field will help scanner to find out which format is valid format for sending request to login url
LoginIndicator regex string After scanner send request to authentication URL, it will get response and findout if loginIndicator regex compile is success or failed. If success scanner will be understand that authentication was success and it will extract token from authenticatoin response.
Client ID select clientId from keyvault secrets after we choose keyvault or secret manager we need to select clientId, client secret and tenantId. These variables should be select from the keyvault or secret manager secrets.
Client Secret select client secret from keyvault secrets after we choose keyvault or secret manager we need to select clientId, client secret and tenantId. These variables should be select from the keyvault or secret manager secrets.
Tenant ID select tenantId from keyvault secrets after we choose keyvault or secret manager we need to select clientId, client secret and tenantId. These variables should be select from the keyvault or secret manager secrets.

so finaly we have authentication page like below : ../img/pac/authentications/oauth/oauth_full.png

and finally we're able to see our pac yaml file

Collection: scenario_azure_cspm
ConnectionName: scenario_azure_cspm_connector
CloudType: azure
ApplicatioName: Oauth Azure App
RiskLevel: standard
Compliance:
- CIS
ApplicationType: WebScan
Schedule: onetime
Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8888
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: shahin-test
              Region: westus
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances
AuthenticationMethod: oauthAuthentication
Authentication:
  Vault:
    Azure:
      KeyVaultName: shahinKeyVault123Test
      SubscriptionID: a6941677-4c37-42fb-960c-dad8f25060a3
      Region: westus
      ResourceGp: shahin-test
  oAuth:
    LoginBodyTemplate: identifier={"username":"%username%","password":"%password%"}
    LoginIndicator: XFE8YSBocmVmPSIvdXNlci9sb2dvdXQiPkxvZ291dDwvYT5cRQ==
    clientId: clientIdVaultKey
    clientSecret: clientSecretVaultKey
    tenantId: tenantIdVaultKey
    LoginUrl: https://example.com/login
    LogoutUrl: https://example.com/logout
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha