堆栈内存溢出
  简体   繁体   English

包括 docker OWASP ZAP 容器的 Keycloak 身份验证

[英]Including Keycloak authentication for docker OWASP ZAP container

 原文  2021-11-04 22:05:09       docker/ keycloak/ owasp/ zap

问题描述

I'm working on a solution that involves running a the owasp/zap2docker-stable image in order to fully scan a web app that implements Keycloak for authentication and user management.我正在开发一个解决方案,该解决方案涉及运行owasp/zap2docker-stable映像,以便完全扫描实现Keycloak以进行身份​​验证和用户管理的 Web 应用程序。

If I'm understanding correctly I would need to include a context file with auth details such as user/password, login form target URLs and having the assumption that the authentication method is Form-based when executing a docker run .如果我理解正确,我需要包含一个上下文文件,其中包含身份验证详细信息,例如用户/密码、登录表单目标 URL,并假设在执行docker run时身份验证方法是基于表单的。 If I'm not wrong and have followed information on the web correctly, it would seem that this context file should be created and exported from the ZAP UI app.如果我没有弄错并且正确地遵循了网络上的信息,那么似乎应该从 ZAP UI 应用程序创建和导出此上下文文件。

My questions are as follows:我的问题如下:

  • Is it confirmed that Keycloak uses form-based authentication?是否确认 Keycloak 使用基于表单的身份验证?
  • Am I correct in understanding that the context file has to be created, exported and supplied to docker run commands for this to happen?我是否正确理解必须创建、导出上下文文件并将其提供给 docker run 命令才能发生这种情况?
  • Are there any specific steps that I would need to take note of when creating the context file?在创建上下文文件时,是否有任何需要注意的特定步骤?
  • How could I confirm that the login process occurred successfully?我如何确认登录过程成功发生?

1 个解决方案

解决方案1
 0  2021-11-05 09:24:29

No idea about Keycloak but you are right about the ZAP context file.不知道 Keycloak,但您对 ZAP 上下文文件是正确的。 Although if you can authenticate to your app using a header then you can just set that via an env var.尽管如果您可以使用标头对您的应用程序进行身份验证,那么您只需通过 env var 进行设置即可。

ZAP maintains stats - see https://www.zaproxy.org/docs/internal-statistics/ and search for "auth" in the key. ZAP 维护统计信息 - 请参阅https://www.zaproxy.org/docs/internal-statistics/并在密钥中搜索“auth”。 You can test those via scan hooks https://www.zaproxy.org/docs/docker/scan-hooks/您可以通过扫描挂钩来测试这些https://www.zaproxy.org/docs/docker/scan-hooks/

Alternatively you can wait until the Automation Framework fully supports authentication - thats hopefully going to be soon but no ETA.或者,您可以等到自动化框架完全支持身份验证 - 希望很快就会实现,但没有预计到达时间。 In any case you'll still need to set up and test the auth in the ZAP desktop first.在任何情况下,您仍然需要先在 ZAP 桌面中设置和测试身份验证。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Owasp zap 中基于标头的身份验证 - Header Based Authentication in Owasp zap 是否有适用于 windows 平台的 OWASP ZAP docker 图像? - Is there OWASP ZAP docker image for windows platform? 在docker环境中通过OWASP zap扫描Rest API - Scanning Rest API's through OWASP zap inside a docker environment 如何在 docker ZAP OWASP zap-full-scan 的每个 http 请求中添加参数 - How to add a parameter in every http request in docker ZAP OWASP zap-full-scan Keycloak docker 身份验证 - Keycloak docker authentication Owasp ZAP在活动扫描期间未使用“基于表单的身份验证” ON python项目执行身份验证 - Owasp ZAP not performing authentication during active scan using “Form-Based-Authentication” ON python project 运行主动扫描时,OWASP ZAP docker 返回“连接被拒绝” - OWASP ZAP docker returns 'Connection refused' when running active-scan OWASP ZAP 错误:“现在有太多活动连接”[Docker Image] - OWASP ZAP Error : “Too many active connections right now” [Docker Image] keycloak docker容器的内存使用情况 - Memory usage of keycloak docker container 未通过 ZAP API Scan docker image 进行身份验证 - Authentication not happening through ZAP API Scan docker image
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM