Add Browser Based Authentication to Client Spider

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
zaproxy · Dec 12, 2024 · 274d56b · 274d56b
1 parent 3894fe0
commit 274d56b
Show file tree

Hide file tree

Showing 12 changed files with 373 additions and 4 deletions.
diff --git a/addOns/authhelper/CHANGELOG.md b/addOns/authhelper/CHANGELOG.md
@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Update minimum ZAP version to 2.16.0.
 - Depend on Passive Scanner add-on (Issue 7959).
 - Address deprecation warnings with newer Selenium version (4.27).
+- Optionally depend on the Client Integration add-on to provide Browser Based Authentication to the Client Spider.
 
 ## [0.16.0] - 2024-11-06
 ### Fixed

diff --git a/addOns/authhelper/authhelper.gradle.kts b/addOns/authhelper/authhelper.gradle.kts
@@ -22,6 +22,18 @@ zapAddOn {
                     }
                 }
             }
+            register("org.zaproxy.addon.authhelper.client.ExtensionAuthhelperClient") {
+                classnames {
+                    allowed.set(listOf("org.zaproxy.addon.authhelper.client"))
+                }
+                dependencies {
+                    addOns {
+                        register("client") {
+                            version.set(">=0.10.0")
+                        }
+                    }
+                }
+            }
         }
         dependencies {
             addOns {
@@ -56,6 +68,7 @@ dependencies {
     zapAddOn("pscan")
     zapAddOn("selenium")
     zapAddOn("spiderAjax")
+    zapAddOn("client")
 
     testImplementation(project(":testutils"))
 }
diff --git a/...authhelper/src/main/java/org/zaproxy/addon/authhelper/client/BrowserBasedAuthHandler.java b/...authhelper/src/main/java/org/zaproxy/addon/authhelper/client/BrowserBasedAuthHandler.java
@@ -0,0 +1,43 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.authhelper.client;
+
+import org.zaproxy.addon.authhelper.AuthUtils;
+import org.zaproxy.addon.authhelper.BrowserBasedAuthenticationMethodType;
+import org.zaproxy.addon.client.spider.AuthenticationHandler;
+import org.zaproxy.zap.model.Context;
+import org.zaproxy.zap.users.User;
+
+public class BrowserBasedAuthHandler implements AuthenticationHandler {
+
+    @Override
+    public void enableAuthentication(User user) {
+        Context context = user.getContext();
+        if (context.getAuthenticationMethod()
+                instanceof BrowserBasedAuthenticationMethodType.BrowserBasedAuthenticationMethod) {
+            AuthUtils.enableBrowserAuthentication(context, user.getName());
+        }
+    }
+
+    @Override
+    public void disableAuthentication(User user) {
+        AuthUtils.disableBrowserAuthentication();
+    }
+}
diff --git a/...thhelper/src/main/java/org/zaproxy/addon/authhelper/client/ExtensionAuthhelperClient.java b/...thhelper/src/main/java/org/zaproxy/addon/authhelper/client/ExtensionAuthhelperClient.java
@@ -0,0 +1,85 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.authhelper.client;
+
+import java.util.List;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.control.Control;
+import org.parosproxy.paros.extension.Extension;
+import org.parosproxy.paros.extension.ExtensionAdaptor;
+import org.parosproxy.paros.extension.ExtensionHook;
+import org.zaproxy.addon.client.ExtensionClientIntegration;
+
+public class ExtensionAuthhelperClient extends ExtensionAdaptor {
+
+    public static final String NAME = "ExtensionAuthhelperClient";
+
+    private static final List<Class<? extends Extension>> DEPENDENCIES =
+            List.of(ExtensionClientIntegration.class);
+
+    private BrowserBasedAuthHandler authHandler;
+
+    public ExtensionAuthhelperClient() {
+        super(NAME);
+    }
+
+    @Override
+    public boolean supportsDb(String type) {
+        return true;
+    }
+
+    @Override
+    public void hook(ExtensionHook extensionHook) {
+        super.hook(extensionHook);
+        authHandler = new BrowserBasedAuthHandler();
+        getClientExtension().addAuthenticationHandler(authHandler);
+    }
+
+    private static ExtensionClientIntegration getClientExtension() {
+        return Control.getSingleton()
+                .getExtensionLoader()
+                .getExtension(ExtensionClientIntegration.class);
+    }
+
+    @Override
+    public boolean canUnload() {
+        return true;
+    }
+
+    @Override
+    public void unload() {
+        getClientExtension().removeAuthenticationHandler(authHandler);
+    }
+
+    @Override
+    public List<Class<? extends Extension>> getDependencies() {
+        return DEPENDENCIES;
+    }
+
+    @Override
+    public String getDescription() {
+        return Constant.messages.getString("authhelper.client.desc");
+    }
+
+    @Override
+    public String getUIName() {
+        return Constant.messages.getString("authhelper.client.name");
+    }
+}
diff --git a/.../authhelper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages.properties b/.../authhelper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages.properties
@@ -44,6 +44,9 @@ authhelper.auth.test.dialog.tab.test = Test
 
 authhelper.auth.test.dialog.title = Authentication Tester
 
+authhelper.client.desc = Enables browser based authentication when performing an authenticated Client Spider scan.
+authhelper.client.name = Client Spider Browser Based Authentication Support
+
 authhelper.desc = Authentication Helper
 
 authhelper.name = Authentication Helper

diff --git a/.../src/test/java/org/zaproxy/addon/authhelper/client/ExtensionAuthhelperClientUnitTest.java b/.../src/test/java/org/zaproxy/addon/authhelper/client/ExtensionAuthhelperClientUnitTest.java
@@ -0,0 +1,58 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.authhelper.client;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+
+import org.junit.jupiter.api.Test;
+import org.zaproxy.addon.authhelper.ExtensionAuthhelper;
+import org.zaproxy.zap.testutils.TestUtils;
+
+class ExtensionAuthhelperClientUnitTest extends TestUtils {
+
+    @Test
+    void shouldHaveName() {
+        // Given
+        ExtensionAuthhelperClient cl = new ExtensionAuthhelperClient();
+        mockMessages(new ExtensionAuthhelper());
+        // When / Then
+        assertThat(cl.getName(), is(equalTo("ExtensionAuthhelperClient")));
+    }
+
+    @Test
+    void shouldHaveUiName() {
+        // Given
+        ExtensionAuthhelperClient cl = new ExtensionAuthhelperClient();
+        mockMessages(new ExtensionAuthhelper());
+        // When / Then
+        assertThat(
+                cl.getUIName(), is(equalTo("Client Spider Browser Based Authentication Support")));
+    }
+
+    @Test
+    void shouldBeUnloadable() {
+        // Given
+        ExtensionAuthhelperClient cl = new ExtensionAuthhelperClient();
+        // When / Then
+        assertThat(cl.canUnload(), is(equalTo(true)));
+    }
+}
diff --git a/addOns/client/CHANGELOG.md b/addOns/client/CHANGELOG.md
@@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Update minimum ZAP version to 2.16.0.
 
+### Added
+- Added support for Browser Based Authentication when installed in conjunction with the Auth Helper add-on.
+
 ## [0.9.0] - 2024-11-29
 ### Changed
 - Update minimum ZAP version to 2.15.0.

diff --git a/addOns/client/src/main/java/org/zaproxy/addon/client/ExtensionClientIntegration.java b/addOns/client/src/main/java/org/zaproxy/addon/client/ExtensionClientIntegration.java
@@ -60,6 +60,7 @@
 import org.zaproxy.addon.client.pscan.ClientPassiveScanController;
 import org.zaproxy.addon.client.pscan.ClientPassiveScanHelper;
 import org.zaproxy.addon.client.pscan.OptionsPassiveScan;
+import org.zaproxy.addon.client.spider.AuthenticationHandler;
 import org.zaproxy.addon.client.spider.ClientSpider;
 import org.zaproxy.addon.client.spider.ClientSpiderDialog;
 import org.zaproxy.addon.client.spider.PopupMenuSpider;
@@ -83,6 +84,7 @@
 import org.zaproxy.zap.extension.selenium.ExtensionSelenium;
 import org.zaproxy.zap.extension.selenium.ProfileManager;
 import org.zaproxy.zap.model.ScanEventPublisher;
+import org.zaproxy.zap.users.User;
 import org.zaproxy.zap.utils.DisplayUtils;
 import org.zaproxy.zap.view.ZapMenuItem;
 
@@ -126,6 +128,9 @@ public class ExtensionClientIntegration extends ExtensionAdaptor {
     private ClientSpiderDialog spiderDialog;
     private ZapMenuItem menuItemCustomScan;
 
+    private List<AuthenticationHandler> authHandlers =
+            Collections.synchronizedList(new ArrayList<>());
+
     public ExtensionClientIntegration() {
         super(NAME);
     }
@@ -516,6 +521,18 @@ public String getDescription() {
         return Constant.messages.getString(PREFIX + ".desc");
     }
 
+    public void addAuthenticationHandler(AuthenticationHandler handler) {
+        authHandlers.add(handler);
+    }
+
+    public void removeAuthenticationHandler(AuthenticationHandler handler) {
+        authHandlers.remove(handler);
+    }
+
+    public List<AuthenticationHandler> getAuthenticationHandlers() {
+        return Collections.unmodifiableList(authHandlers);
+    }
+
     private class SessionChangeListener implements SessionChangedListener {
 
         @Override
@@ -582,17 +599,29 @@ public int runSpider(String url) {
      *
      * @param url The inital URL to request
      * @param options Custom options.
+     * @param user the user to be used for authentication.
      * @return an id which can be used to reference the specific scan.
      */
-    public int runSpider(String url, ClientOptions options) {
+    public int runSpider(String url, ClientOptions options, User user) {
         synchronized (spiders) {
-            ClientSpider cs = new ClientSpider(this, url, options, spiders.size());
+            ClientSpider cs = new ClientSpider(this, url, options, spiders.size(), user);
             spiders.add(cs);
             cs.start();
             return spiders.indexOf(cs);
         }
     }
 
+    /**
+     * Run the client spider with the specified options
+     *
+     * @param url The initial URL to request
+     * @param options Custom options.
+     * @return an id which can be used to reference the specific scan.
+     */
+    public int runSpider(String url, ClientOptions options) {
+        return this.runSpider(url, options, null);
+    }
+
     public ClientSpider getSpider(int id) {
         return this.spiders.get(id);
     }

diff --git a/addOns/client/src/main/java/org/zaproxy/addon/client/spider/AuthenticationHandler.java b/addOns/client/src/main/java/org/zaproxy/addon/client/spider/AuthenticationHandler.java
@@ -0,0 +1,39 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.client.spider;
+
+import org.zaproxy.zap.users.User;
+
+public interface AuthenticationHandler {
+
+    /**
+     * * Enables authentication handling for the given user, if the handler applies.
+     *
+     * @param user the user to authenticate for
+     */
+    void enableAuthentication(User user);
+
+    /**
+     * Disables authentication handling for the given user, if the handler applies.
+     *
+     * @param user the user
+     */
+    void disableAuthentication(User user);
+}