purpleteam icon indicating copy to clipboard operation
purpleteam copied to clipboard

Published 20 hours ago verified publisher icon purpleteam-labs

What other Authentication techniques does purpleteam need to support?

Open binarymist opened this issue 4 years ago • 1 comments
trafficstars

Current Behavior:

We have username and password SUT login.

Proposed Behavior:

  • [ ] Research and document which other authentication techniques purpleteam needs to support
  • [ ] Start looking at authentication techniques for APIs with Zap (OAuth flows and how to provide tokens, etc.)
    • https://faun.pub/automating-authenticated-api-vulnerability-scanning-with-owasp-zap-eaddba0c2e94
  • [ ] MFA
    • https://groups.google.com/g/zaproxy-users/c/Nmydxd67UOc
    • OTPs sent to phone
      • We use an online virtual cell phone with API to receive sms and push notification
      • Forwarding of notifications or SMS to email. Script email retrieval
      • @ricekot mentioned on #project-zap: With time-based OTP (TOTP) you can use the secret to generate an OTP and use that for authentication. See https://github.com/ICTU/zap-baseline/commit/44971a8f35ffb9c0580790e519f2b292f38e9f3e, But the application you're testing would have to support that
  • [ ] WebAuthn which replace passwords
    • https://webauthn.guide/
    • https://auth0.com/blog/introduction-to-web-authentication/
    • Selenium Support
      • https://stackoverflow.com/questions/63477115/selenium-tests-authenticate-with-webauthn
      • https://github.com/SeleniumHQ/selenium/issues/7753
    • http://solokeys.com/ mentioned by μSec in InfoSecNZ
  • [ ] Work out a plan to implement
  • [ ] Create issue(s) to implement

How It Would Benefit You:

Build Users would be able to provide authentication details to purpleteam other than username and password so that purpleteam can authenticate with the SUT

Notes:

  • [ ] Zaproxy had a google doc somewhere that listed all it's authentication techniques. Finding where this is documented would be a good place to start
  • [ ] Possibly put a survey out to find out what Devs and their Teams need

Resources

  • https://secret.club/2021/06/28/windows11-tpms.html

Scratch

  • https://www.zaproxy.org/docs/desktop/start/features/authmethods/
  • https://www.zaproxy.org/docs/desktop/start/features/scripts/
  • https://www.zaproxy.org/docs/desktop/start/features/authentication/
  • https://www.google.com/search?q=zaproxy+authentication+script+example
  • https://www.zaproxy.org/docs/desktop/ui/dialogs/session/context-auth/#script-based-authentication
  • https://github.com/zaproxy/community-scripts/tree/main/authentication

binarymist avatar Feb 13 '21 23:02 binarymist

ZAP auth doc :) https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit#heading=h.c6na86mvp3pz

psiinon avatar Feb 14 '21 17:02 psiinon