Merge pull request #216 from kingthorin/auth-fw4

auth tests: Use report for further details

Author: thc202

.gitignore

@@ -13,5 +13,5 @@
 
 # Workflows & scans
 # ------------------
-*/output
+output/
 scans/auth/all_vars.env

scans/auth/README.md

@@ -9,7 +9,7 @@
 
 ## Types
 
-- bba - Browser Based Auth
+- stdbba - Browser Based Auth
 - bbaplus - Browser Based Auth with manual config or extra steps
 - csa - Client Script Auth
 
@@ -18,4 +18,4 @@
 
 # One-offs
 
-1. To run a one-off: `docker run --rm -v $(pwd):/zap/wrk/:rw --env-file scans/auth/all_vars.env -t zaproxy/zap-nightly /zap/zap.sh -cmd -autorun /zap/wrk/scans/auth/plans_and_scripts/testfire/bba.yaml`.
+1. To run a one-off: `docker run --rm -v $(pwd):/zap/wrk/:rw --env-file scans/auth/all_vars.env -t zaproxy/zap-nightly /zap/zap.sh -cmd -autorun /zap/wrk/scans/auth/plans_and_scripts/testfire/bbaplus.yaml`.

scans/auth/auth_plan_tests.sh

@@ -7,12 +7,17 @@ runplan()
     FILE=$2
     TYPE=$3
     echo "Target: $TARGET Plan: $FILE"
-    echo -ne "$INDENT$TYPE"|tee -a "$OUTPUT" > /dev/null
+    echo -ne "$INDENT"- type: "$TYPE\n"|tee -a "$OUTPUT" > /dev/null
+    echo -ne "$INDENT$INDENT"auth:|tee -a "$OUTPUT" > /dev/null
 
     /zap/zap.sh -cmd -autorun "$FILE"
     RET=$?
-    AUTHREPORT=../../auth-report.json
-
+    if [[ $TYPE == "stdbba" ]]
+    then
+        AUTHREPORT=../../auth-report.json
+    else
+        AUTHREPORT=auth-report.json
+    fi
     if [ -f $AUTHREPORT ]
     then
         echo "Using data from the authentication report"
@@ -23,6 +28,7 @@ runplan()
             echo "PASS"
             echo " true"|tee -a "$OUTPUT" > /dev/null
             summary="${summary}  Plan: $TYPE\tPASS\n"
+            getreportdetails $AUTHREPORT
         else
             if [ "$AUTH" != "false" ]
             then
@@ -31,6 +37,7 @@ runplan()
             echo "ERROR"
             echo " false"|tee -a "$OUTPUT" > /dev/null
             summary="${summary}  Plan: $TYPE\tERROR\n"
+            getreportdetails $AUTHREPORT
             RES=1
         fi 
         rm $AUTHREPORT
@@ -50,6 +57,19 @@ runplan()
     fi
 }
 
+getreportdetails()
+{
+    AUTHREPORT=$1
+    USER_SUCCESS=`jq -r '.summaryItems[] | select(.key == "auth.summary.username") | .passed' $AUTHREPORT`
+    echo "$INDENT$INDENT"username: $USER_SUCCESS|tee -a "$OUTPUT" > /dev/null
+    PASS_SUCCESS=`jq -r '.summaryItems[] | select(.key == "auth.summary.password") | .passed' $AUTHREPORT`
+    echo "$INDENT$INDENT"password: $PASS_SUCCESS|tee -a "$OUTPUT" > /dev/null
+    SESS_SUCCESS=`jq -r '.summaryItems[] | select(.key == "auth.summary.session") | .passed' $AUTHREPORT`
+    echo "$INDENT$INDENT"session: $SESS_SUCCESS|tee -a "$OUTPUT" > /dev/null
+    VERIF_SUCCESS=`jq -r '.summaryItems[] | select(.key == "auth.summary.verif") | .passed' $AUTHREPORT`
+    echo "$INDENT$INDENT"verification: $VERIF_SUCCESS|tee -a "$OUTPUT" > /dev/null
+}
+
 RES=0
 
 mkdir -p /zap/wrk/output
@@ -85,24 +105,24 @@ do
             export username=$(eval echo \$\{TARGET\}_user)
             export zapusername=${!username}
 
-            runplan $TARGET /zap/wrk/scans/auth/bba-auth-test.yaml "stdbba:"
+            runplan $TARGET /zap/wrk/scans/auth/bba-auth-test.yaml "stdbba"
         else
             echo "No $TARGET/config file"
         fi
 
         shopt -s nullglob  # May be no yaml files
         for file in *.yaml
         do
-            runplan $TARGET /zap/wrk/scans/auth/plans_and_scripts/$TARGET/$file $(echo "$file"|cut -d"." -f1)":"
+            runplan $TARGET /zap/wrk/scans/auth/plans_and_scripts/$TARGET/$file $(echo "$file"|cut -d"." -f1)
             sleep 2
         done
         shopt -u nullglob
 
         if [ -f notes.txt ]
         then
             echo -ne "$INDENT"|tee -a "$OUTPUT" > /dev/null
-            echo -ne "note: "|tee -a "$OUTPUT" > /dev/null
-            echo \""$(cat notes.txt)"\"|tee -a "$OUTPUT" > /dev/null
+            echo -ne "- note: "|tee -a "$OUTPUT" > /dev/null
+            echo "\"$(cat notes.txt)\""|tee -a "$OUTPUT" > /dev/null
         fi
         cd ..
     fi

scans/auth/plans_and_scripts/testfire/bbaplus.yaml

@@ -27,12 +27,35 @@ env:
         password: ${testfire_pass}
         username: ${testfire_user}
 jobs:
+- type: passiveScan-config
+  parameters:
+    disableAllRules: true
+  rules:
+  - name: Authentication Request Identified
+    id: 10111
+    threshold: medium
+  - name: Session Management Response Identified
+    id: 10112
+    threshold: medium
+  - name: Verification Request Identified
+    id: 10113
+    threshold: medium
 - type: requestor
   parameters:
     user: testuser
   requests:
-  - name: Get Account Details
-    url: 'http://testfire.net/bank/showAccount?listAccounts=800002'
-    method: GET
-    responseCode: 200
-
+  - url: http://testfire.net
+- type: passiveScan-wait
+  parameters: {}
+- name: auth-test-report
+  type: report
+  parameters:
+    template: auth-report-json
+    theme: null
+    reportDir: .
+    reportFile: auth-report.json
+    reportTitle: ZAP by Checkmarx Scanning Report
+  sections:
+  - summary
+  - afenv
+  - statistics

scans/auth/plans_and_scripts/testfire/csa.yaml

@@ -20,12 +20,35 @@ env:
         Username: ${testfire_user}
         Password: ${testfire_pass}
 jobs:
+- type: passiveScan-config
+  parameters:
+    disableAllRules: true
+  rules:
+  - name: Authentication Request Identified
+    id: 10111
+    threshold: medium
+  - name: Session Management Response Identified
+    id: 10112
+    threshold: medium
+  - name: Verification Request Identified
+    id: 10113
+    threshold: medium
 - type: requestor
   parameters:
     user: testuser
   requests:
-  - name: Get Account Details
-    url: 'http://testfire.net/bank/showAccount?listAccounts=800002'
-    method: GET
-    responseCode: 200
-
+  - url: http://testfire.net
+- type: passiveScan-wait
+  parameters: {}
+- name: auth-test-report
+  type: report
+  parameters:
+    template: auth-report-json
+    theme: null
+    reportDir: .
+    reportFile: auth-report.json
+    reportTitle: ZAP by Checkmarx Scanning Report
+  sections:
+  - summary
+  - afenv
+  - statistics