This add-on enables users to compare which parts of a web-application are available to some users, do access control testing and identify potential access control issues. It allows configuration of access rules and conducts a full attack aimed to help identify sections of a web application which are accessible by unauthorized clients.
There are two main concepts related to this add-on that should be explained: the Access Rules and the testing procedure.
In order to identify potential access control issues, ZAP needs to know which parts of the web application are supposed to be accessed by which user. In ZAP, the name for these rules is: Access Rules and generally have the meaning: “PageA should/shouldn’t be accessed by UserX”.
The rules are configured for a Context and, for each User of that Context, each Site Node (web page) will be associated to one of the following values:
In order to simplify the access rules definition process, ZAP is making use of the tree-based structure of URLs. When analyzing the rules, an inference algorithm is used to detect the matching rules for each node based on its parent in the URL if no particular rules are defined. This means that, when configuring the access rules, only 1 rule needs to be set explicitly for an entire subtree, while for the other nodes rules are inferred. More details about this can be found on the Access Control Context options help page.
As a whole, in order to fully perform access control testing for a web application, the next steps should be followed:
Note: Access control testing is not allowed in Safe mode nor Protected if the context is not in scope.
The following Alerts may be raised by the add-on:
Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.
Latest Code: AccessControlScannerThread.java
Alert ID: 10101.
Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.
Latest Code: AccessControlScannerThread.java
Alert ID: 10102.
The Addon exposes the following API endpoints:
Starts an Access Control scan with the given context ID and user ID (can be comma separated list of IDs). (Optional parameters: boolean identifying if an unauthenticated user should be included (default false), boolean identifying whether or not Alerts are raised (default true), and the Risk level for the Alerts (default High).) [Note: This assumes the Access Control rules were previously established via ZAP gui and the necessary Context exported/imported.]
Generates an Access Control report for the given context ID and saves it based on the provided filename (path).
Gets the Access Control scan progress (percentage integer) for the given context ID.
Gets the Access Control scan status (description string) for the given context ID.
| Access Control Testing Tab | for a description of the status tab used by the add-on | |
| Access Control Context options | to learn about the related context options |