PAC Form-Based AUTHENTICATION
Overview
This page shows how Prancer supports different authentication methods such as form-based, JWT, cookie, OAuth, and others, to scan all paths behind the auth-middleware. The Web Authentication API (WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. Prancer allows users to create a scanner by selecting the cloud type, collection, and connector, and defining the target domain or selecting from existing resources. In the case of form-based authentication, the user needs to select the key vault (or secret manager for AWS) to find the token value as a secret and pass it to the PAC file. The PAC file includes login and logout URLs, login request POST data, login indicator regex string, username and password selection from the key vault or secret manager secrets, and other details. The PAC file generated is then used to run the pentest.
Authentication
The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:
Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website. Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key. Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.
Prancer authenticated pentesting
Prancer tries to support different authentication methods such as formbase,jwt,cookie,oauth and etc. As all applications have authentication to scan all paths, prancer pentest scanner should be authenticated to send request to the APIs and pages that are behind the auth-middleware.
For setting up authentication we need to create scanner at first. here are some steps which is required to be setup before auth configuration.
- go to pac wizard page
- select cloud type
- select collection and connector (scanner will be created in the resources which the selected connector has an access)
- put application information
- select existing or new instance to run the pentest
- define target domain or select from existing resources
In this step you should be able to see authentication page.
So after you select Form Based
authentication type , you should select keyvault (if you're using aws you need to select secret manager) to find token value as secret and pass it to the pac file.
lets take look to the other fields:
Field | Sample values | Description |
---|---|---|
Key Vault | every key Vault which connecto has access to it | we're going to choose key Vault for selecting secrets like user name and password or etc. |
Login URL | ex: https://sample.com/login | In this field should put complete url for lgin, by this field scanner will be able to find where should login request send to. |
Logout URL | ex: https://sample.com/logout | In this field you should put logout url, this field will be exclude from URLs to prevent logging out the scanner user |
Login Request POST data | ex: username={%username%}&password={%password%} | The format of the post data you are using when submitting the login form. For example, identity={%username%}&password={%password%} This means the variables developer used to send the post data back to the server are identity and password At the time of pentesting, we are replacing {%username%} and {%password%} with the values we are retrieving from Key Vault or secret manager |
LoginIndicator | regex string | After scanner send request to authentication URL, it will get response and findout if loginIndicator regex compile is success or failed. If success scanner will be understand that authentication was success and it will extract token from authenticatoin response. |
username | select password from keyvault secrets | after we choose keyvault or secret manager we need to select username and password. These variables should be select from the keyvault or secret manager secrets |
password | select password from keyvault secrets | after we choose keyvault or secret manager we need to select username and password. These variables should be select from the keyvault or secret manager secrets |
so finaly we have authentication page like below :
and finally we're able to see our pac yaml file
Collection: scenario_azure_cspm
ConnectionName: scenario_azure_cspm_connector
CloudType: azure
ApplicatioName: Formbased Azure App
RiskLevel: standard
Compliance:
- CIS
ApplicationType: WebScan
Schedule: onetime
Target: http://prancersampleapp01.eastus2.cloudapp.azure.com:8888
Scanner:
Cloud:
Platform:
Azure:
ContainerInstance:
AfterRun: delete
NewContainerInstance:
External:
SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
ResourceGp: shahin-test
Region: westus
ContainerGroupName: prancer-scanner-group
ContainerName: prancer-pentest-instance
ResourceName: prancer-instances
AuthenticationMethod: formBasedAuthentication
Authentication:
Vault:
Azure:
KeyVaultName: shahinKeyVault123Test
SubscriptionID: a6941677-4c37-42fb-960c-dad8f25060a3
Region: westus
ResourceGp: shahin-test
FormBaseAuth:
UsernameSecretKey: userNameVaultKey
PasswordSecretKey: passwordVaultKey
LoginUrl: /bodgeit/login.jsp
LogoutUrl: /bodgeit/logout.jsp
LoginRequestPostData: username={%username%}&password={%password%}
LoginIndicator: \Q<a href="logout.jsp">Logout</a>\E
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
# - accessControl
# - ascanrulesAlpha