1. Install demo app to test
- install Docker
- run command
docker run -d -p 3000:3000 bkimminich/juice-shop
- can access page frontend: localhost:3000
2. Open OWASP ZAP enter url page want to test
- Quick Start > Url to explore > Enter Url: localhost:3000 > Launch Browser
(if there are errors in launch browser then change config brower version in OWASP equal version your Chrom browser)
* You also call API by using Postman (config Postman proxy with OWASP ZAP)
3. Register account
Email: test@test.com Password: testtest
4. Login account
Email: test@test.com Password: testtest
Access pages in apps
5. Open OWASP ZAP you will see page history you accessed
- Below image is request call api whoami when you not logged http://localhost:3000/rest/user/whoami it will reuturn user null.
- Below image is request to call API login http://localhost:3000/rest/user/login witll return lại token
- Below image is request call api whoami when you logged http://localhost:3000/rest/user/whoami it will reuturn user info
6. Include site context localhost:3000
- Right Click site localhost:3000 > Include Site in Content > New Context
Rename context name become JsonBaseAuth (any name you want) > Click Ok
8. Dedicate login để authentication
Click Request call API Login > Flag as Context > JsonBasedAuth JSON-based Auth Login Request
Check config again to equals with below image > Click Ok
9. Add User for OWASP ZAP using login when test
- Double Click contexts JsonBaseAuth > Users > Enter User Credential > Add > Click Ok
10. Add Session Management Script for OWASP ZAP get token khi gọi API login
- Double Click on Scripts > Session Management > Enter config for Script like below image
(name: SessionScriptJShop.js) > Save > Click Ok
* Note: According data return access token can be with name “token”, or “access_token”
(according server api), like below config that will get variable token with name “token”,
if server return access token with orther name you have to option SessionScriptJShop.js file
- Save script file: right click file SessionScriptJShop.js > Save Script > Save
10. Load SessionScriptJShop.js for OWASP ZAP
- Double Click into contexts JsonBaseAuth > Session Management > select Script-based
Session Management > Select File SessionScriptJShop.js > Click Load > Click Ok
11. Set logged-in indicator
Right Click request gọi api whoami when logged http://localhost:3000/rest/user/whoami
> select tab Respone
> Selected text ‘email’
> Right Click into text email
> Flag as Context
> JsonBaseAuth: Authentication Logged-in indicator
Chỉnh lại cấu hình như hình bên dưới > Click Ok
12. Set logged-out indicator
Righ click request call api whoami when not logged http://localhost:3000/rest/user/whoami
> select tab Respone
> select all text response
> Right click
> Flag as Context
> JsonBaseAuth: Authentication Logged-out indicator
Check config like below image > click Ok
13. Complete config OWASP ZAP with JSON based authentication to test API
Process test
> Right Click contexts JsonBaseAuth
> Active Scan
> Select User: Test1
> Click Start Scan
=> You will see every request call api, that there is the Bearer token and Cookie is stored to authenticate
Thank you.
No comments:
Post a Comment