This add-on enables users to compare which parts of a web-application are available to some users, do access control testing and identify potential access control issues. It allows configuration of access rules and conducts a full attack aimed to help identify sections of a web application which are accessible by unauthorized clients.
There are two main concepts related to this add-on that should be explained: the Access Rules and the testing procedure.
In order to identify potential access control issues, ZAP needs to know which parts of the web application are supposed to be accessed by which user. In ZAP, the name for these rules is: Access Rules and generally have the meaning: “PageA should/shouldn’t be accessed by UserX”.
The rules are configured for a Context and, for each User of that Context, each Site Node (web page) will be associated to one of the following values:
In order to simplify the access rules definition process, ZAP is making use of the tree-based structure of URLs. When analyzing the rules, an inference algorithm is used to detect the matching rules for each node based on its parent in the URL if no particular rules are defined. This means that, when configuring the access rules, only 1 rule needs to be set explicitly for an entire subtree, while for the other nodes rules are inferred. More details about this can be found on the Access Control Context options help page.
As a whole, in order to fully perform access control testing for a web application, the next steps should be followed:
Note: Access control testing is not allowed in Safe
mode nor Protected
if the context is not in scope.
The Addon exposes the following API endpoints:
Starts an Access Control scan with the given context ID and user ID (can be comma separated list of IDs). (Optional parameters: boolean identifying if an unauthenticated user should be included (default false), boolean identifying whether or not Alerts are raised (default true), and the Risk level for the Alerts (default High).) [Note: This assumes the Access Control rules were previously established via ZAP gui and the necessary Context exported/imported.]
Generates an Access Control report for the given context ID and saves it based on the provided filename (path).
Gets the Access Control scan progress (percentage integer) for the given context ID.
Gets the Access Control scan status (description string) for the given context ID.
Access Control Testing Tab | for a description of the status tab used by the add-on | |
Access Control Context options | to learn about the related context options |