From e242143081003a9154a88ba8fa672d7fbb5e8de5 Mon Sep 17 00:00:00 2001
From: Simon Bennetts <psiinon@gmail.com>
Date: Fri, 21 Feb 2025 17:01:30 +0000
Subject: [PATCH] Add AF / BrowserAuthTest

Signed-off-by: Simon Bennetts <psiinon@gmail.com>
---
 other/CHANGELOG.md                  |  3 ++
 other/af-plans/BrowserAuthTest.yaml | 66 +++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 other/af-plans/BrowserAuthTest.yaml

diff --git a/other/CHANGELOG.md b/other/CHANGELOG.md
index d70821d9..4c0f9feb 100644
--- a/other/CHANGELOG.md
+++ b/other/CHANGELOG.md
@@ -3,6 +3,9 @@ All notable changes to the 'other' section of this repository will be documented
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+### 2025-02-21
+- Added af-plans/BrowserAuthTest.yaml
+
 ### 2024-08-30
 - Added af-plans/ApiScanExample.yaml
 
diff --git a/other/af-plans/BrowserAuthTest.yaml b/other/af-plans/BrowserAuthTest.yaml
new file mode 100644
index 00000000..a932b62b
--- /dev/null
+++ b/other/af-plans/BrowserAuthTest.yaml
@@ -0,0 +1,66 @@
+---
+# A plan which aims to work out how to configure authentication given the following env vars:
+#   ZAP_SITE         The target site, e.g. https://www.example.com - must not include the path or a trailing slash
+#   ZAP_LOGIN_URL    The URL of the login page, e.g. https://www.example.com/login
+#   ZAP_USER         A valid username
+#   ZAP_PASSWORD     The associated password
+#
+# The report generated will give full details of the session handling and verification details found.
+# For details see https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/
+env:
+  contexts:
+  - name: Default Context
+    urls:
+    - ${ZAP_SITE}
+    includePaths:
+    - ${ZAP_SITE}.*
+    authentication:
+      method: browser
+      parameters:
+        browserId: firefox-headless
+        loginPageUrl: ${ZAP_LOGIN_URL}
+        loginPageWait: 5
+      verification:
+        method: autodetect
+    sessionManagement:
+      method: autodetect
+    technology: {}
+    users:
+    - name: test-user
+      credentials:
+        username: ${ZAP_USER}
+        password: ${ZAP_PASSWORD}
+  parameters: {}
+jobs:
+- type: passiveScan-config
+  parameters:
+    disableAllRules: true
+  rules:
+  - name: Authentication Request Identified
+    id: 10111
+    threshold: medium
+  - name: Session Management Response Identified
+    id: 10112
+    threshold: medium
+  - name: Verification Request Identified
+    id: 10113
+    threshold: medium
+- type: requestor
+  parameters:
+    user: test-user
+  requests:
+  - url: ${ZAP_SITE}
+- type: passiveScan-wait
+  parameters: {}
+- name: auth-test-report
+  type: report
+  parameters:
+    template: auth-report-json
+    theme: null
+    reportDir: .
+    reportFile: auth-report.json
+    reportTitle: ZAP by Checkmarx Scanning Report
+  sections:
+  - summary
+  - afenv
+  - statistics
\ No newline at end of file