Skip to content

Add AF / BrowserAuthTest #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 3, 2025
Merged

Add AF / BrowserAuthTest #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions other/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ All notable changes to the 'other' section of this repository will be documented

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

### 2025-02-21
- Added af-plans/BrowserAuthTest.yaml

### 2024-08-30
- Added af-plans/ApiScanExample.yaml

Expand Down
66 changes: 66 additions & 0 deletions other/af-plans/BrowserAuthTest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
# A plan which aims to work out how to configure authentication given the following env vars:
# ZAP_SITE The target site, e.g. https://www.example.com - must not include the path or a trailing slash
# ZAP_LOGIN_URL The URL of the login page, e.g. https://www.example.com/login
# ZAP_USER A valid username
# ZAP_PASSWORD The associated password
#
# The report generated will give full details of the session handling and verification details found.
# For details see https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/
env:
contexts:
- name: Default Context
urls:
- ${ZAP_SITE}
includePaths:
- ${ZAP_SITE}.*
authentication:
method: browser
parameters:
browserId: firefox-headless
loginPageUrl: ${ZAP_LOGIN_URL}
loginPageWait: 5
verification:
method: autodetect
sessionManagement:
method: autodetect
technology: {}
users:
- name: test-user
credentials:
username: ${ZAP_USER}
password: ${ZAP_PASSWORD}
parameters: {}
jobs:
- type: passiveScan-config
parameters:
disableAllRules: true
rules:
- name: Authentication Request Identified
id: 10111
threshold: medium
- name: Session Management Response Identified
id: 10112
threshold: medium
- name: Verification Request Identified
id: 10113
threshold: medium
- type: requestor
parameters:
user: test-user
requests:
- url: ${ZAP_SITE}
- type: passiveScan-wait
parameters: {}
- name: auth-test-report
type: report
parameters:
template: auth-report-json
theme: null
reportDir: .
reportFile: auth-report.json
reportTitle: ZAP by Checkmarx Scanning Report
sections:
- summary
- afenv
- statistics
Loading