[英]Including Keycloak authentication for docker OWASP ZAP container
I'm working on a solution that involves running a the owasp/zap2docker-stable image in order to fully scan a web app that implements Keycloak for authentication and user management.我正在开发一个解决方案,该解决方案涉及运行owasp/zap2docker-stable映像,以便完全扫描实现Keycloak以进行身份验证和用户管理的 Web 应用程序。
If I'm understanding correctly I would need to include a context file with auth details such as user/password, login form target URLs and having the assumption that the authentication method is Form-based when executing a docker run
.如果我理解正确,我需要包含一个上下文文件,其中包含身份验证详细信息,例如用户/密码、登录表单目标 URL,并假设在执行
docker run
时身份验证方法是基于表单的。 If I'm not wrong and have followed information on the web correctly, it would seem that this context file should be created and exported from the ZAP UI app.如果我没有弄错并且正确地遵循了网络上的信息,那么似乎应该从 ZAP UI 应用程序创建和导出此上下文文件。
My questions are as follows:我的问题如下:
No idea about Keycloak but you are right about the ZAP context file.不知道 Keycloak,但您对 ZAP 上下文文件是正确的。 Although if you can authenticate to your app using a header then you can just set that via an env var.
尽管如果您可以使用标头对您的应用程序进行身份验证,那么您只需通过 env var 进行设置即可。
ZAP maintains stats - see https://www.zaproxy.org/docs/internal-statistics/ and search for "auth" in the key. ZAP 维护统计信息 - 请参阅https://www.zaproxy.org/docs/internal-statistics/并在密钥中搜索“auth”。 You can test those via scan hooks https://www.zaproxy.org/docs/docker/scan-hooks/
您可以通过扫描挂钩来测试这些https://www.zaproxy.org/docs/docker/scan-hooks/
Alternatively you can wait until the Automation Framework fully supports authentication - thats hopefully going to be soon but no ETA.或者,您可以等到自动化框架完全支持身份验证 - 希望很快就会实现,但没有预计到达时间。 In any case you'll still need to set up and test the auth in the ZAP desktop first.
在任何情况下,您仍然需要先在 ZAP 桌面中设置和测试身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.