Crawling behind an authentication wall
111 views
Skip to first unread message
Nathan
Jul 31, 2023, 10:13:25 AM7/31/23
to zaprox...@googlegroups.com
Hello,
I'm trying to automate ZAP's spider for crawling but struggle to do it.
I've read a lot about ZAP's API, scripts and Automation Framework but after trying scripts and default form-based authentication without success, I tried the auth tester.
To begin with, if I understood the differences between all of them correctly, auth scripts goal is to get knowledge of a token or session id before using it in every requests that follows(?). My authentication is a bit less friendly as I'm using more information (session id, name, token as a java principal...).
So first, I'm struggling to know what's the best choice to automate ZAP on my application, do you have some tips on how to decide on it?
As for the auth tester, it succeeds to login and goes on the website as an authenticated user but it doesn't recognize the validation url nor the session id. It doesn't matter to me as I just want him to crawl what's behind the authent wall but when I launch Spider or Ajax Spider both of them only crawls what's before the auth wall. I tried using force user (but don't know if it's adapted to my problem?) and I tried using a script to ask selenium to authenticate when starting a new browser session but it failed.
My main questions are, can I use ZAP to automate the crawling behind the auth wall as auth tester succeeds to bypass it? And do you think that it would be easier to do so with selenium/cypress, proxying the packets to ZAP?
Thanks for this free proxy :)
Nathan
I'm trying to automate ZAP's spider for crawling but struggle to do it.
I've read a lot about ZAP's API, scripts and Automation Framework but after trying scripts and default form-based authentication without success, I tried the auth tester.
To begin with, if I understood the differences between all of them correctly, auth scripts goal is to get knowledge of a token or session id before using it in every requests that follows(?). My authentication is a bit less friendly as I'm using more information (session id, name, token as a java principal...).
So first, I'm struggling to know what's the best choice to automate ZAP on my application, do you have some tips on how to decide on it?
As for the auth tester, it succeeds to login and goes on the website as an authenticated user but it doesn't recognize the validation url nor the session id. It doesn't matter to me as I just want him to crawl what's behind the authent wall but when I launch Spider or Ajax Spider both of them only crawls what's before the auth wall. I tried using force user (but don't know if it's adapted to my problem?) and I tried using a script to ask selenium to authenticate when starting a new browser session but it failed.
My main questions are, can I use ZAP to automate the crawling behind the auth wall as auth tester succeeds to bypass it? And do you think that it would be easier to do so with selenium/cypress, proxying the packets to ZAP?
Thanks for this free proxy :)
Nathan
psiinon
Aug 3, 2023, 6:11:50 AM8/3/23
to zaprox...@googlegroups.com
Hi Nathan,
ZAP should be able to handle any form of authentication, as long as you can provide the right information.
For example - if your app uses 2FA and you cant get the 2FA token to ZAP then theres not much we can do :(
We're trying to get ZAP to autodetect the most common forms of authentication and session handling, however we know there will alwys be cases where we cant do this.
Luckily the first thing we implemented was low level support, so you should be able to use that.
You will need to completely understand how your app's authentication and session handling works and then configure ZAP to understand it.
For more details see https://www.zaproxy.org/docs/authentication/
If anything there doesnt make any sense then do ask here.
Any if you think ZAP cannot handle your particular usecase then also let us know - we'll aim to update ZAP to handle such cases.
Many thanks,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1F35CC6A-884A-45B3-86A5-C86F9B996302%40gmail.com.
--
ZAP Project leader
Reply all
Reply to author
Forward
0 new messages