193 lines
6.8 KiB
XML
193 lines
6.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
OWASP ZAP Authentication Context Template
|
|
Configure this file for form-based, HTTP, or script-based authentication
|
|
-->
|
|
<configuration>
|
|
<context>
|
|
<!-- Context Name -->
|
|
<name>WebApp-Auth-Context</name>
|
|
<desc>Authentication context for web application security testing</desc>
|
|
|
|
<!-- Enable context -->
|
|
<inscope>true</inscope>
|
|
|
|
<!-- URL Scope Definition -->
|
|
<!-- Include all URLs under target domain -->
|
|
<incregexes>https://app\.example\.com/.*</incregexes>
|
|
|
|
<!-- Exclude logout and static content -->
|
|
<excregexes>https://app\.example\.com/logout</excregexes>
|
|
<excregexes>https://app\.example\.com/signout</excregexes>
|
|
<excregexes>https://app\.example\.com/static/.*</excregexes>
|
|
<excregexes>.*\.css</excregexes>
|
|
<excregexes>.*\.js</excregexes>
|
|
<excregexes>.*\.png|.*\.jpg|.*\.gif</excregexes>
|
|
|
|
<!-- Technology Detection -->
|
|
<tech>
|
|
<include>Language</include>
|
|
<include>Language.JavaScript</include>
|
|
<include>OS</include>
|
|
<include>OS.Linux</include>
|
|
<include>WS</include>
|
|
</tech>
|
|
|
|
<!-- Authentication Configuration -->
|
|
<authentication>
|
|
<!--
|
|
Authentication Types:
|
|
- formBasedAuthentication: Traditional login forms
|
|
- httpAuthentication: HTTP Basic/Digest/NTLM
|
|
- scriptBasedAuthentication: Custom authentication via script
|
|
-->
|
|
<type>formBasedAuthentication</type>
|
|
|
|
<!-- Form-Based Authentication -->
|
|
<form>
|
|
<!-- Login URL -->
|
|
<loginurl>https://app.example.com/login</loginurl>
|
|
|
|
<!-- Login Request Body (POST parameters) -->
|
|
<!-- Use {%username%} and {%password%} as placeholders -->
|
|
<loginbody>username={%username%}&password={%password%}&csrf_token={%csrf_token%}</loginbody>
|
|
|
|
<!-- Login Page URL (where login form is displayed) -->
|
|
<loginpageurl>https://app.example.com/login</loginpageurl>
|
|
</form>
|
|
|
|
<!-- HTTP Authentication (uncomment if using) -->
|
|
<!--
|
|
<http>
|
|
<realm>Protected Area</realm>
|
|
<hostname>app.example.com</hostname>
|
|
<port>443</port>
|
|
</http>
|
|
-->
|
|
|
|
<!-- Logged-In Indicator (regex pattern that appears when logged in) -->
|
|
<!-- This helps ZAP determine if authentication succeeded -->
|
|
<loggedin>\QWelcome,\E</loggedin>
|
|
<!-- Alternative patterns:
|
|
<loggedin>\QLogout\E</loggedin>
|
|
<loggedin>\Qdashboard\E</loggedin>
|
|
<loggedin>class="user-menu"</loggedin>
|
|
-->
|
|
|
|
<!-- Logged-Out Indicator (regex pattern that appears when logged out) -->
|
|
<loggedout>\QYou are not logged in\E</loggedout>
|
|
<!-- Alternative patterns:
|
|
<loggedout>\QLogin\E</loggedout>
|
|
<loggedout>\QSign In\E</loggedout>
|
|
-->
|
|
|
|
<!-- Poll URL for verification (optional) -->
|
|
<pollurl>https://app.example.com/api/session/verify</pollurl>
|
|
<polldata></polldata>
|
|
<pollfreq>60</pollfreq>
|
|
</authentication>
|
|
|
|
<!-- Session Management -->
|
|
<sessionManagement>
|
|
<!--
|
|
Session Management Types:
|
|
- cookieBasedSessionManagement: Session via cookies (most common)
|
|
- httpAuthSessionManagement: HTTP authentication
|
|
- scriptBasedSessionManagement: Custom session handling
|
|
-->
|
|
<type>cookieBasedSessionManagement</type>
|
|
|
|
<!-- Session cookies to monitor -->
|
|
<sessioncookies>
|
|
<cookie>JSESSIONID</cookie>
|
|
<cookie>PHPSESSID</cookie>
|
|
<cookie>sessionid</cookie>
|
|
<cookie>session_token</cookie>
|
|
</sessioncookies>
|
|
</sessionManagement>
|
|
|
|
<!-- Test Users -->
|
|
<users>
|
|
<!-- User 1: Standard test user -->
|
|
<user>
|
|
<name>testuser</name>
|
|
<enabled>true</enabled>
|
|
<credentials>
|
|
<credential>
|
|
<name>username</name>
|
|
<value>testuser</value>
|
|
</credential>
|
|
<credential>
|
|
<name>password</name>
|
|
<value>TestPassword123!</value>
|
|
</credential>
|
|
<!-- CSRF token (if needed) -->
|
|
<!--
|
|
<credential>
|
|
<name>csrf_token</name>
|
|
<value></value>
|
|
</credential>
|
|
-->
|
|
</credentials>
|
|
</user>
|
|
|
|
<!-- User 2: Admin user (if testing authorization) -->
|
|
<user>
|
|
<name>adminuser</name>
|
|
<enabled>false</enabled>
|
|
<credentials>
|
|
<credential>
|
|
<name>username</name>
|
|
<value>adminuser</value>
|
|
</credential>
|
|
<credential>
|
|
<name>password</name>
|
|
<value>AdminPassword123!</value>
|
|
</credential>
|
|
</credentials>
|
|
</user>
|
|
</users>
|
|
|
|
<!-- Forced User Mode (for authorization testing) -->
|
|
<!--
|
|
Enables testing if authenticated user can access resources
|
|
they shouldn't have access to
|
|
-->
|
|
<forcedUserMode>false</forcedUserMode>
|
|
|
|
<!-- Data Driven Nodes -->
|
|
<!--
|
|
For testing parameters with different values
|
|
-->
|
|
<datadrivennodes>
|
|
<node>
|
|
<name>user_id</name>
|
|
<url>https://app.example.com/api/users/{user_id}</url>
|
|
</node>
|
|
</datadrivennodes>
|
|
</context>
|
|
|
|
<!-- Global Exclude URLs (applied to all contexts) -->
|
|
<globalexcludeurl>
|
|
<regex>https://.*\.googleapis\.com/.*</regex>
|
|
<regex>https://.*\.google-analytics\.com/.*</regex>
|
|
<regex>https://.*\.googletagmanager\.com/.*</regex>
|
|
<regex>https://cdn\..*</regex>
|
|
</globalexcludeurl>
|
|
|
|
<!-- Anti-CSRF Token Configuration -->
|
|
<anticsrf>
|
|
<!-- Enable anti-CSRF token handling -->
|
|
<enabled>true</enabled>
|
|
|
|
<!-- Token names to automatically detect and handle -->
|
|
<tokennames>
|
|
<tokenname>csrf_token</tokenname>
|
|
<tokenname>csrftoken</tokenname>
|
|
<tokenname>_csrf</tokenname>
|
|
<tokenname>authenticity_token</tokenname>
|
|
<tokenname>__RequestVerificationToken</tokenname>
|
|
</tokennames>
|
|
</anticsrf>
|
|
</configuration>
|