how do extend ZAP authentication scripts?

[ka51m1r]

Hi,

I like to extend this script https://github.com/zaproxy/community-scripts/blob/master/authentication/MagentoAuthentication.js for my needs to login into our application.

Where is the helper class located?

How can I test this script? Can I run it from the command line so I can see the error messages?

Kind regards,

ka51m1r

[Ailton Caetano]

You can't extend it. You have to copy it, make your changes and enable your copy.. To make a copy, open it in the "Script Console" tab, copy the source code, create a new Authentication script in the "Script" tab, paste source code and change it to suit your needs. You will see any error messages in the "Script console" 's bottom pane. To test it, enable your script and tell zap to make an authenticated scan after you've set the auth configuration.

Take a look inside the other scripts. You'll notice that there are some pre-defined function names that ZAP automagically calls to have its job done. Just change those functions body code according to your application and things will (probably) work out for you.

[]'s Ailton

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Scripts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-scripts+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-scripts/5331f80d-5074-4cc2-b115-51f309751b4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

You can also install the community scripts add-on: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsCommunityScriptsCommunityScripts
This installs all of the community scripts in ZAP and then you can edit or duplicate them.

Or you can clone them to a local directory and add that directory to ZAP via the Options Scripts screen: https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsScript

Note that the script console does now have a limited form or code completion: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsConsole#auto-complete

Cheers,

Simon

[ka51m1r]

Thanks for response.

I have created a new script and add as authentication method to the session properties.

How do I make a authenticated scan? Just a spider scan with an authenticated user in scope?  Can I only scan the two relevant urls for the login process instead of spidering all the other urls?

During this run, I don't get any output in the script console, even if the debugMode is turned on. 

Am Donnerstag, 16. November 2017 18:23:02 UTC+1 schrieb Ailton Caetano:

You can't extend it. You have to copy it, make your changes and enable your copy.. To make a copy, open it in the "Script Console" tab, copy the source code, create a new Authentication script in the "Script" tab, paste source code and change it to suit your needs. You will see any error messages in the "Script console" 's bottom pane. To test it, enable your script and tell zap to make an authenticated scan after you've set the auth configuration.

Take a look inside the other scripts. You'll notice that there are some pre-defined function names that ZAP automagically calls to have its job done. Just change those functions body code according to your application and things will (probably) work out for you.

[]'s Ailton

2017-11-16 14:43 GMT-02:00 ka51m1r <christia...@gmail.com>:

Hi,

I like to extend this script https://github.com/zaproxy/community-scripts/blob/master/authentication/MagentoAuthentication.js for my needs to login into our application.

Where is the helper class located?

How can I test this script? Can I run it from the command line so I can see the error messages?

Kind regards,

ka51m1r

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Scripts" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-scrip...@googlegroups.com.

[Simon Bennetts]

Have a look at this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQformauth

Cheers,

Simon

[ka51m1r]

Hi Simon,

that doesn't help me, because I need a two factor auth where I first have to GET a csrf-token and than POST it to another url together with username and password.

I already tried the default form based auth and recording a zest script.

But how can I debug a auth script? I just copied the MagentoAuth.js script but it doesn't work and I cannot find any helpful messages. I only get Authentication failure in "Output" and thats it. Is it possible to see the script output in the UI or call the script from the command line to see the output?

Greetings,

ka51m1r

[ka51m1r]

Hi,

sorry, my fault. The output view in the script console was minimised. Now I can see the output.

Thanks for your help.

[ka51m1r]

Hi Simon,

one last question. I always get an 301 redirect message from the helper.sendAndReceive method, because this method do not automatically follow redirects. Is it possible to configure automatic following of redirects for this method?

Cheers,

ka51m1r

Am Freitag, 17. November 2017 10:09:34 UTC+1 schrieb Simon Bennetts:

[thc...@gmail.com]

Hi.

Yes, you can follow redirects by calling:
helper.sendAndReceive(msg, true)

Best regards.

>>>>> <https://groups.google.com/d/msgid/zaproxy-scripts/5331f80d-5074-4cc2-b115-51f309751b4f%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .

[ka51m1r]

Hi,

great, that works fine. 

Can I change the header attributes? 

I already tried it in different ways but I don't get it to work.

tried things like this:

var get = helper.prepareMessage();

get.setRequestHeader(new HttpRequestHeader(HttpRequestHeader.GET, csrfUri, HttpHeader.HTTP10, HttpHeader.addHeader("user-agent", "Mozilla/5.0....."))

Do you have an idea how to change the HTTP Header for this?

Thanks,

ka51m1r

[thc...@gmail.com]

Hi.

Sure, you can add, modify, and remove the headers, with
HttpHeader.addHeader and HttpHeader.setHeader but you need to call them
on the header instances (classes HttpRequestHeader and
HttpResponseHeader), e.g.:
get.getRequestHeader().addHeader("user-agent", "Mozilla/5.0.....")

For JavaDoc reference:
https://static.javadoc.io/org.zaproxy/zap/2.6.0/org/parosproxy/paros/network/HttpHeader.html#addHeader-java.lang.String-java.lang.String-
https://static.javadoc.io/org.zaproxy/zap/2.6.0/org/parosproxy/paros/network/HttpRequestHeader.html
https://static.javadoc.io/org.zaproxy/zap/2.6.0/org/parosproxy/paros/network/HttpResponseHeader.html

Best regards.

[ka51m1r]

Hi,

thanks for your response, that helped me a lot.

I try to set a cookie in the header, but don't get the right syntax.

I think I can call it on the getRequestHeader, but don't get the List<HttpCookie> construct.

void	setCookies(List<HttpCookie> cookies) Construct new "Cookie:" line in request header based on HttpCookies.

Any idea?

Kind regards,

ka51m1r

[kingthorin+owaspzap]

Have a look at this script:
https://github.com/zaproxy/community-scripts/blob/644998e4e783d9a3b57bb5fa4e036a651a0b76cb/httpsender/Capture%20and%20Replace%20Anti%20CSRF%20Token.js

It can probably help you along.