Do we have to identify which urls should only be accessible by a role and introduce them one by one?

[fcano]

Hi,
I've been trying authz0 a bit. I'm not sure about how to use it. Do we have to identify which urls should be accessible only by a role and introduce them one by one (or with a script)?
If that step is necessary, what is the purpose of the automatic generation of a template based on HAR files exported from ZAP?

[hahwul]

Hi @fcano 😊
Role can be defined or not. I think your question arises because this tool is focused on a security engineer or developer.

• If you don't define a role, you'll test one Credential and URLs, and the user will judge the results.
• Defining Role tests Credentials and URLs and judges the results with a slightly cleaner results.

For example, the "A" admin service called A has 20 different levels of authority. When checking permissions for each URL of these services, it is too much to do manually, and it is more cumbersome to use ZAP or Burpsuite functions.

So I made a tool called Authz0. Quickly create a URL list, define users who can access each URL unit, and test based on it. This was the direction that I was aiming for.

Did it help you?

[hahwul]

This is ZAP's Access Control Testing, and I thought it was faster to edit through the yaml file (e.g vim) than to click through the ZAP GUI.