8. Zero-Trust Application Access

Overview

pyrasp Zero-Trust Application Access (ZTAA) enables to restrict access to a protected application only from browsers running a properly configured agent. Optionnally pyrasp may require the browser to be running the matest version in order to prevent connections from potentially vulnerable (and therefore compromised) browsers.

ZTAA data are transmitted to pyrasp through a specific header:

  • Browser fingerprint (currently unused)

  • Browser update status

The header is a JWT signed with one of the valid keys specified in the configuration. If the header is not present or the JWT signature validation fails, the request is processed as an attack, depending on the configuration.

Configuration

3 parameters are necessary to properly configure ZTAA on pyrasp:

  • ZTAA_HEADER: the name of the header used for ZTAA validation (default: pcb-ztaa)

  • ZTAA_KEYS: list of valid keys, designed to provide specific key of each user and enable key repudiation

  • ZTAA_BROWSER_VERSION: enables browser version check

Agent

Agent is a browser plugin currently available only for Chromium-based browsers.

Installation

  1. Download unpacked version from https://github.com/rbidou/pyrasp-agent

  2. Go to the chrome://extensions or edge://extensions page

  3. Enable Developper mode

  4. Click Load unpacked button

  5. Select the directory where the unpacked agent was downloaded

  6. Agent is installed

Configuration

To configure the agent:

  1. Click on the agent icon, greyed until configuration is set

  2. Enter the header name, application hostname (and port if non-standard) or URL, and the secret key

  3. Click the Update ZTAA Settings button

  4. Agent icon turns to blue

Previous7. APINextA1. Addendum: AWS Lambda Specificities

Last updated