Merge pull request #297 from psiinon/js-sel-auth

JuiceShop selenium auth example

Author: kingthorin

af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js

@@ -0,0 +1,130 @@
+/*
+This is part of a set of scripts which allow you to authenticate to Juice Shop using Selenium.
+
+These scripts will currently only run in Oracle Nashorn and not Graal.js 
+which means you need to run ZAP using Java 11.
+
+---
+
+This script handles authentication for requests that originate from ZAP,
+e.g. from the traditional spider or the active scanner.
+
+It launches a browser to authenticate to Juice Shop - this is not strictly 
+necessary but this is a demonstration of what to do if you need authenticate
+via a browser.
+
+It also starts and uses a new proxy on a different port.
+If this is not done then the script will hang as it will try to authenticate 
+again using the script which is already running.
+
+The proxy can be stopped via the JuiceShopReset script.
+*/
+
+var By = Java.type('org.openqa.selenium.By');
+var Cookie = Java.type("org.openqa.selenium.Cookie");
+var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
+var HttpResponseHeader = Java.type("org.parosproxy.paros.network.HttpResponseHeader");
+var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
+var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
+var System = Java.type("java.lang.System");
+var Thread = Java.type('java.lang.Thread');
+var URI = Java.type('org.apache.commons.httpclient.URI');
+
+var extensionNetwork = control.getExtensionLoader().getExtension("ExtensionNetwork");
+
+var juiceshopAddr = "http://localhost:3000/";
+var proxyAddress = "127.0.0.1";
+var proxyPort = 9092;
+
+var count = 0;
+var limit = 2;
+
+function logger() {
+	print('[' + this['zap.script.name'] + '] ' + arguments[0]);
+}
+
+function messageHandler(ctx, msg) {
+	if (ctx.isFromClient()) {
+		return;
+	}
+	var url = msg.getRequestHeader().getURI().toString();
+	//logger("messageHandler " + url);
+	if (url === juiceshopAddr + "rest/user/login" && msg.getRequestHeader().getMethod() === "POST") {
+		var json = JSON.parse(msg.getResponseBody().toString());
+		var token = json.authentication.token;
+		logger("Saving Juice Shop token");
+		// save the authentication token
+		ScriptVars.setGlobalVar("juiceshop.token", token);
+	}
+}
+
+function authenticate(helper, _paramsValues, _credentials) {
+	// Remove an existing token (if present) - in theory it may now be invalid
+	ScriptVars.setGlobalVar("juiceshop.token", null);
+	var proxy = ScriptVars.getGlobalCustomVar("auth-proxy");
+	if (!proxy) {
+		// We need to start a new proxy so that the request doesn't trigger another login sequence
+		logger("Starting proxy");
+		var proxy = extensionNetwork.createHttpProxy(5, messageHandler);
+		proxy.start(proxyAddress, proxyPort);
+		// Store the proxy in a global script var
+		ScriptVars.setGlobalCustomVar("auth-proxy", proxy);
+	}
+
+	logger("Launching browser to authenticate to Juice Shop");
+	var extSel = control.getSingleton().
+		getExtensionLoader().getExtension(
+			org.zaproxy.zap.extension.selenium.ExtensionSelenium.class);
+
+	// Change to "firefox" (or "chrome") to see the browsers being launched
+	var wd = extSel.getWebDriver(5, "firefox-headless", proxyAddress, proxyPort);
+	logger("Got webdriver");
+
+	// Initial request will display a popup that is difficult to get rid of
+	wd.get(juiceshopAddr);
+	wd.manage().addCookie(new Cookie('cookieconsent_status', 'dismiss'));
+	wd.manage().addCookie(new Cookie('welcomebanner_status', 'dismiss'));
+	Thread.sleep(1000);
+	// This request will get the login page without the pesky popup
+	logger("Requesting login page");
+	wd.get(juiceshopAddr + "#/login");
+	Thread.sleep(1000);
+
+	// These are standard selenium methods for filling out fields
+	// You will need to change them to support different apps
+	wd.findElement(By.id("email")).sendKeys(System.getenv("JS_USER"));
+	wd.findElement(By.id("password")).sendKeys(System.getenv("JS_PWD"));
+	wd.findElement(By.id("loginButton")).click();
+	logger("Submitting form");
+
+	Thread.sleep(500);
+	wd.quit();
+
+	Thread.sleep(500);
+	logger("Checking verification URL for Juice Shop");
+	token = ScriptVars.getGlobalVar("juiceshop.token");
+
+	// This is the verification URL
+	var requestUri = new URI(juiceshopAddr + "rest/user/whoami", false);
+	var requestMethod = HttpRequestHeader.GET;
+	var requestHeader = new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP11);
+	// The auth token and cookie will be added by the httpsender script
+	var msg = helper.prepareMessage();
+	msg.setRequestHeader(requestHeader);
+	helper.sendAndReceive(msg);
+
+	return msg;
+}
+
+function getRequiredParamsNames() {
+	return [];
+}
+
+function getOptionalParamsNames() {
+	return [];
+}
+
+function getCredentialsParamsNames() {
+	return ["username", "password"];
+}
+

af-plans/juiceshop-selenium-auth/JuiceShopHttpSender.js

@@ -0,0 +1,99 @@
+/*
+This is part of a set of scripts which allow you to authenticate to Juice Shop using Selenium.
+
+These scripts will currently only run in Oracle Nashorn and not Graal.js 
+which means you need to run ZAP using Java 11.
+
+---
+
+This script injects the authentication token into the verification request.
+Without this token the verification request would always fail.
+
+It also records stats which allow us to test that the authentication is working
+in all cases.
+
+*/
+
+
+function logger() {
+	print('[' + this['zap.script.name'] + '] ' + arguments[0]);
+}
+
+function isStaticUrl(url) {
+	if (url.indexOf('.xml') !== -1) {
+		return true;
+	}
+
+	if (url.indexOf('.css') !== -1) {
+		return true;
+	}
+
+	if (url.indexOf('.gif') !== -1) {
+		return true;
+	}
+
+	if (url.indexOf('.js') !== -1) {
+		return true;
+	}
+
+	if (url.indexOf('.txt') !== -1) {
+		return true;
+	}
+
+	if (url.indexOf('.htm') !== -1) {
+		return true;
+	}
+	return false;
+}
+
+var HttpSender = Java.type('org.parosproxy.paros.network.HttpSender');
+var ScriptVars = Java.type('org.zaproxy.zap.extension.script.ScriptVars');
+var Stats = Java.type('org.zaproxy.zap.utils.Stats');
+
+var juiceshopAddr = "http://localhost:3000/";
+
+function sendingRequest(msg, initiator, _helper) {
+	var headers = msg.getRequestHeader();
+	var url = headers.getURI().toString();
+
+	if (!url.startsWith(juiceshopAddr)) { return true; }
+	if (isStaticUrl(url)) { return true; }
+
+	var token = ScriptVars.getGlobalVar("juiceshop.token");
+
+	if (token) {
+		Stats.incCounter("stats.juiceshop.globaltoken.present");
+	} else {
+		Stats.incCounter("stats.juiceshop.globaltoken.absent");
+	}
+
+	if (initiator === HttpSender.AUTHENTICATION_INITIATOR) {
+		if (url.startsWith(juiceshopAddr + "rest/user/whoami")) {
+			// Need to add these for the verification request
+			logger(url + " adding token to authentication request");
+			msg.getRequestHeader().setHeader('Authorization', 'Bearer ' + token);
+			msg.getRequestHeader().setHeader('Cookie', 'token=' + token);
+		}
+	} else if (initiator === HttpSender.AJAX_SPIDER_INITIATOR) {
+		var header = msg.getRequestHeader();
+		var auth = header.getHeader("Authorization");
+		var cookie = header.getHeader("Cookie");
+		// Record stats to give us some confidence that the AJAX spider is authenticated
+		if (auth) {
+			Stats.incCounter("stats.juiceshop.authtoken.present");
+		} else {
+			Stats.incCounter("stats.juiceshop.authtoken.absent");
+		}
+		if (cookie && cookie.indexOf("token=") > -1) {
+			Stats.incCounter("stats.juiceshop.cookie.present");
+		} else {
+			Stats.incCounter("stats.juiceshop.cookie.absent");
+		}
+	}
+
+	return true;
+}
+
+function responseReceived(_msg, _initiator, _helper) {
+	return true;
+}

af-plans/juiceshop-selenium-auth/JuiceShopReset.js

@@ -0,0 +1,49 @@
+/*
+This is part of a set of scripts which allow you to authenticate to Juice Shop using Selenium.
+
+These scripts will currently only run in Oracle Nashorn and not Graal.js 
+which means you need to run ZAP using Java 11.
+
+---
+
+This script stops the proxy used for authentication and removes all of the script variables.
+It is not needed for automation but can be useful for manual testing.
+*/
+
+function logger() {
+	print('[' + this['zap.script.name'] + '] ' + arguments[0]);
+}
+
+var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
+
+var proxy = ScriptVars.getGlobalCustomVar("auth-proxy");
+
+if (proxy) {
+	logger("Found auth proxy - stopping");
+	proxy.stop();
+	ScriptVars.setGlobalCustomVar("auth-proxy", null);
+}
+
+var token = ScriptVars.getGlobalVar("juiceshop.token");
+if (token) {
+	logger("Found token - removing");
+	ScriptVars.setGlobalVar("juiceshop.token", null);
+
+}
+
+// Reset the state for all users
+var extUser = control.getSingleton().
+	getExtensionLoader().getExtension(
+		org.zaproxy.zap.extension.users.ExtensionUserManagement.class);
+var session = model.getSession();
+var contexts = session.getContexts();
+for (i in contexts) {
+	var users = extUser.getContextUserAuthManager(contexts[i].getId()).getUsers();
+	for (j in users) {
+		logger("Resetting user " + users[j]);
+		users[j].getAuthenticationState().setLastPollResult(false);
+	}
+}
+
+logger("Reset complete.");
+

af-plans/juiceshop-selenium-auth/JuiceShopSelenium.js

@@ -0,0 +1,43 @@
+/*
+This is part of a set of scripts which allow you to authenticate to Juice Shop using Selenium.
+
+These scripts will currently only run in Oracle Nashorn and not Graal.js 
+which means you need to run ZAP using Java 11.
+
+---
+
+This script logs in to Juice Shop when a browser is launched.
+This will happen when:
+* The authentication script runs
+* The AJAX Spider launches a browser
+* The DOM XSS scan rule runs
+
+This is needed as Juice Shop maintains client side state about authentication -
+if the UI does not know it is authenticated then it will not be able to
+perform any authenticated actions.
+
+*/
+
+function logger() {
+	print('[' + this['zap.script.name'] + '] ' + arguments[0]);
+}
+
+var ArrayList = Java.type("java.util.ArrayList");
+var By = Java.type('org.openqa.selenium.By');
+var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
+var System = Java.type("java.lang.System");
+
+var juiceshopAddr = "http://localhost:3000/";
+
+function browserLaunched(utils) {
+	var wd = utils.getWebDriver();
+	wd.get(juiceshopAddr);
+	// This request will get the login page without the pesky popup
+	wd.get(juiceshopAddr + "#/login");
+	// These are standard selenium methods for filling out fields
+	// You will need to change them to support different apps
+	wd.findElement(By.id("email")).sendKeys(System.getenv("JS_USER"));
+	wd.findElement(By.id("password")).sendKeys(System.getenv("JS_PWD"));
+	wd.findElement(By.id("loginButton")).click();
+}
+

af-plans/juiceshop-selenium-auth/JuiceShopSession.js

@@ -0,0 +1,59 @@
+/*
+This is part of a set of scripts which allow you to authenticate to Juice Shop using Selenium.
+
+These scripts will currently only run in Oracle Nashorn and not Graal.js 
+which means you need to run ZAP using Java 11.
+
+---
+
+This script injects the authentication token into authenticated requests
+from ZAP.
+
+It is used by the traditional spider and the active scan rules 
+(apart from the DOM XSS one which uses a browser).
+It is not used by the AJAX Spider as that need the client side state to be set.
+
+*/
+
+function logger() {
+	print('[' + this['zap.script.name'] + '] ' + arguments[0]);
+}
+
+var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie;
+var HtmlParameter = Java.type('org.parosproxy.paros.network.HtmlParameter');
+var ScriptVars = Java.type('org.zaproxy.zap.extension.script.ScriptVars');
+var Stats = Java.type('org.zaproxy.zap.utils.Stats');
+
+function extractWebSession(_sessionWrapper) {
+	// Handled in the auth script
+}
+
+function clearWebSessionIdentifiers(sessionWrapper) {
+	var headers = sessionWrapper.getHttpMessage().getRequestHeader();
+	headers.setHeader("Authorization", null);
+	ScriptVars.setGlobalVar("juiceshop.token", null);
+}
+
+function processMessageToMatchSession(sessionWrapper) {
+	var token = ScriptVars.getGlobalVar("juiceshop.token");
+	if (token === null) {
+		logger('no token');
+		return;
+	}
+	var cookie = new HtmlParameter(COOKIE_TYPE, "token", token);
+	// add the saved authentication token as an Authentication header and a cookie
+	var msg = sessionWrapper.getHttpMessage();
+	msg.getRequestHeader().setHeader("Authorization", "Bearer " + token);
+	var cookies = msg.getRequestHeader().getCookieParams();
+	cookies.add(cookie);
+	msg.getRequestHeader().setCookieParams(cookies);
+	Stats.incCounter("stats.juiceshop.tokens.added");
+}
+
+function getRequiredParamsNames() {
+	return [];
+}
+
+function getOptionalParamsNames() {
+	return [];
+}