Authenticated DAST SOAP Demo

This repository demonstrates how to implement Authenticated Dynamic Application Security Testing (DAST) using OWASP ZAP on a SOAP web application with session-based authentication.

🏗️ Application Architecture

• Backend: Node.js/Express with SOAP endpoints
• Authentication: SOAP-based login with Express sessions
• Frontend: Vanilla HTML/CSS/JavaScript
• Protected Pages: Dashboard, Profile, Settings (require authentication)

🔐 Authentication Flow

1. SOAP Login: Client sends XML request to /soap/auth endpoint
2. Session Creation: Server validates credentials and creates Express session
3. Cookie Management: Session cookie (connect.sid) maintains authentication
4. Protected Access: Authenticated requests access protected SOAP endpoints

🛡️ DAST Security Scanning

ZAP Configuration

The project includes comprehensive ZAP configuration for authenticated scanning:

• zap-auth-script.js: JavaScript authentication script for ZAP
• zap-context.xml: ZAP context configuration defining scan scope
• zap-auth.py: Python alternative for authentication testing
• Dockerfile: Containerizes the SOAP application

Scan Coverage

Public Endpoints:

• / - Login page
• Static assets (CSS, JS)

Authenticated Endpoints:

• /soap/dashboard - Dashboard data via SOAP
• /soap/profile - User profile via SOAP
• /soap/settings - User settings via SOAP
• /dashboard.html - Dashboard page
• /profile.html - Profile page
• /settings.html - Settings page

🚀 Running Locally

Prerequisites

• Node.js 18+
• Docker
• Git

Setup

# Clone the repository
git clone <repository-url>
cd authenticated-dast-soap

# Install dependencies
npm install

# Run the application
npm start

The application will be available at http://localhost:3000

Test Credentials

• Username: demo | Password: password
• Username: admin | Password: admin123

Manual SOAP Testing

Test the SOAP authentication endpoint:

curl -X POST http://localhost:3000/soap/auth \
     -H "Content-Type: text/xml" \
     -d '<?xml version="1.0" encoding="UTF-8"?>
         <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
           <soap:Body>
             <AuthenticateUser>
               <username>demo</username>
               <password>password</password>
             </AuthenticateUser>
           </soap:Body>
         </soap:Envelope>'

🤖 CI/CD Integration

GitHub Actions Workflow

The .github/workflows/authenticated-dast.yml workflow provides:

1. Application Build: Containerizes the SOAP app
2. Service Startup: Runs the app with proper networking
3. Connectivity Tests: Verifies app and SOAP endpoints
4. Authenticated Scanning:
   • ZAP Baseline Scan (quick security check)
   • ZAP Full Scan (comprehensive security analysis)
5. Coverage Verification: Ensures authenticated pages were scanned
6. Artifact Upload: Stores scan reports as GitHub artifacts
7. Codacy Integration: Uploads results to Codacy Security Dashboard

Required Secrets

Add to your GitHub repository secrets:

• CODACY_API_TOKEN: Your Codacy API token for security report uploads

Workflow Triggers

• Push to main or develop branches
• Pull requests to main branch

📊 Security Reports

Generated Reports

The scan produces multiple report formats:

• JSON: zap_full_report.json - Machine-readable results
• HTML: zap_full_report.html - Human-readable web report
• Markdown: zap_full_report.md - Documentation-friendly format

Report Analysis

The workflow automatically:

• Counts security findings
• Verifies authenticated page coverage
• Uploads results to Codacy Security Dashboard
• Stores reports as GitHub artifacts (30-day retention)

🔧 Configuration Files

ZAP Authentication Script (zap-auth-script.js)

JavaScript authentication script that:

• Performs SOAP login with credentials
• Extracts session cookies from response
• Configures ZAP to maintain authenticated session
• Defines logged-in/logged-out indicators

ZAP Context (zap-context.xml)

XML configuration that:

• Defines scan scope (target URLs)
• Configures authentication method
• Sets up user credentials
• Specifies session management

Docker Configuration (Dockerfile)

Multi-stage build that:

• Uses Node.js 18 Alpine base image
• Installs production dependencies only
• Exposes port 3000
• Optimized for CI/CD environments

🔍 Authentication Methods Supported

This implementation demonstrates:

1. SOAP Authentication: XML-based login requests
2. Session Management: Express.js session cookies
3. Context-based Scanning: ZAP context configuration
4. Script-based Auth: Custom JavaScript authentication logic

🚦 Scan Results Interpretation

Security Alert Levels

• High: Critical vulnerabilities requiring immediate attention
• Medium: Important security issues to address
• Low: Minor security improvements
• Informational: Security-related information

Common Findings

Authenticated scans typically identify:

• Session management vulnerabilities
• Authorization bypass issues
• Cross-site scripting (XSS) in authenticated pages
• SQL injection in authenticated endpoints
• Insecure direct object references

🛠️ Troubleshooting

Authentication Issues

If authentication fails:

1. Check SOAP endpoint connectivity
2. Verify credentials in ZAP context
3. Review authentication script logs
4. Test SOAP login manually

Scan Coverage Issues

If authenticated pages aren't scanned:

1. Verify session cookie extraction
2. Check ZAP context configuration
3. Review logged-in/logged-out indicators
4. Examine authentication script execution

Report Generation Issues

If reports aren't generated:

1. Check ZAP container logs
2. Verify file permissions on output directory
3. Ensure sufficient scan time
4. Review ZAP command parameters

📚 Additional Resources

• OWASP ZAP Documentation
• ZAP Authentication Scripts
• SOAP Security Best Practices

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add/update tests
5. Update documentation
6. Submit a pull request

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.