What other Authentication techniques does purpleteam need to support?

[binarymist]

Current Behavior:

We have username and password SUT login.

Proposed Behavior:

• Research and document which other authentication techniques purpleteam needs to support
• Start looking at authentication techniques for APIs with Zap (OAuth flows and how to provide tokens, etc.)
  • https://faun.pub/automating-authenticated-api-vulnerability-scanning-with-owasp-zap-eaddba0c2e94
• MFA
  • https://groups.google.com/g/zaproxy-users/c/Nmydxd67UOc
  • OTPs sent to phone
    • We use an online virtual cell phone with API to receive sms and push notification
    • Forwarding of notifications or SMS to email. Script email retrieval
    • @ricekot mentioned on #project-zap: With time-based OTP (TOTP) you can use the secret to generate an OTP and use that for authentication. See ICTU/zap2docker-auth-weekly@44971a8, But the application you're testing would have to support that
• WebAuthn which replace passwords
  • https://webauthn.guide/
  • https://auth0.com/blog/introduction-to-web-authentication/
  • Selenium Support
    • https://stackoverflow.com/questions/63477115/selenium-tests-authenticate-with-webauthn
    • Add support the WebAuthn Automation API SeleniumHQ/selenium#7753
  • http://solokeys.com/ mentioned by μSec in InfoSecNZ
• Work out a plan to implement
• Create issue(s) to implement

How It Would Benefit You:

Build Users would be able to provide authentication details to purpleteam other than username and password so that purpleteam can authenticate with the SUT

Notes:

• Zaproxy had a google doc somewhere that listed all it's authentication techniques. Finding where this is documented would be a good place to start
• Possibly put a survey out to find out what Devs and their Teams need

Resources

• https://secret.club/2021/06/28/windows11-tpms.html

Scratch

• https://www.zaproxy.org/docs/desktop/start/features/authmethods/
• https://www.zaproxy.org/docs/desktop/start/features/scripts/
• https://www.zaproxy.org/docs/desktop/start/features/authentication/
• https://www.google.com/search?q=zaproxy+authentication+script+example
• https://www.zaproxy.org/docs/desktop/ui/dialogs/session/context-auth/#script-based-authentication
• https://github.com/zaproxy/community-scripts/tree/main/authentication

[psiinon]

ZAP auth doc :) https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit#heading=h.c6na86mvp3pz