username=ZAP&password=ZAP

[Tjarda de Vries]

Hi team,

I have just started using ZAP and have set up authentication using the HelpStartConceptsAuthentication page. It is a multi step authentication process using a tokens, tickets and redirects. After I set up the authentication, I spidered the webapplication. The spider doesn't find many URLs because the authentication requests fail. The post data on a authentication request looks as follows:

username=ZAP&password=ZAP&lt=_c7A2F6489-C54F-19C4-65BC-8BCD2292A227_k7F804995-3E91-9913-B797-65DAE733A72C&_eventId=submit

(lt is a token that is handled correctly by ZAP, i have added lt to the list of Anti CSRF tokens)

The response (HTTP 200) is the login form, where a redirect (302) is expected. The reason the login fails I think is the values of the username and password parameters (ZAP). I have specified a user in the context and tell ZAP to use this user when starting the spidering.

Why doesn't ZAP fill in the right username and password values? What am I doing wrong?

Kind regards, Tjarda.

[Simon Bennetts]

Hi Tjarda,

Does the authentication script work in other situations?
A good way to test this is using the Forced User mode: https://github.com/zaproxy/zap-core-help/wiki/HelpUiTltoolbar#--force-user-mode-on--off
If that doesnt work then theres an issue with the script or the configuration.
If it does work then its likely to be the way you are invoking the spider.
We can dig into these when we know which it is:)

Cheers,

Simon

[Tjarda de Vries]

Hi Simon,

Thanks for your response!

I'm afraid I didn't describe my problem clearly enough: I was using the Form-Based Authentication method.

Now I have recorded a Zest script (username and password are hard coded in the script, but that is ok for now). When I run the script manually it runs ok, no errors in the Zest Results panel. But in the output panel of the script console the message 'javax.script.ScriptException: org.apache.commons.httpclient.URIException: URI-Reference required' appears a number of times.

I then define a context for my webapplication and tell ZAP to use the script I recorded as Authentication method. I am not sure what values to put in de LoginURL and method fields (I use the URL of the login form and POST, but I am not sure this is correct). I have defined a regex that tells ZAP when you are logged in (\QUITLOGGEN\E). I also have defined a user, but this user is not used as username/password are (for now) hardcoded in the script.

When I spider the webapplication, I only find about 40 URLs, so I don't think the spider is actually logging in.

Could you please give some advise on how to proceed?

Kind regards, Tjarda.

[Simon Bennetts]

Hi Tjarda,

If you use Form-based Authentication then you need to specify the correct login URL etc, you cant use the Zest script.
To use the Zest script you need to use Script-based Authentication.
If you have hard coded the login url and authentication parameters then it wont matter what values you put in the fields - they are only needed if you havnt hardcoded the values.

The URIException doesnt souynd good - you shouldnt be getting any exceptions if your script runs correctly.
I'd double check that the URLs are correctly set for all of the Requests in the script.
Could you post it here? (suitably sanitized) or email it to me directly?

Cheers,

Simon

[keides2]

Hi,

I also suffer from the same phenomenon.

Could you tell me how to solve it?

The username of the context file is different from the setting value.

Is it hash?

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<configuration>

<context>

<name>context</name>

<desc/>

<inscope>true</inscope>

<incregexes>https://XXXXXX/YYYYYY.*</incregexes>

<tech>

<include>Db</include>

<include>Db.Firebird</include>

<include>Db.HypersonicSQL</include>

<include>Db.IBM DB2</include>

<include>Db.Microsoft Access</include>

<include>Db.Microsoft SQL Server</include>

<include>Db.MySQL</include>

<include>Db.Oracle</include>

<include>Db.PostgreSQL</include>

<include>Db.SAP MaxDB</include>

<include>Db.SQLite</include>

<include>Db.Sybase</include>

<include>Language</include>

<include>Language.ASP</include>

<include>Language.C</include>

<include>Language.PHP</include>

<include>Language.XML</include>

<include>OS</include>

<include>OS.Linux</include>

<include>OS.MacOS</include>

<include>OS.Windows</include>

<include>SCM</include>

<include>SCM.Git</include>

<include>SCM.SVN</include>

<include>WS</include>

<include>WS.Apache</include>

<include>WS.IIS</include>

<include>WS.Tomcat</include>

</tech>

<urlparser>

<class>org.zaproxy.zap.model.StandardParameterParser</class>

<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

</urlparser>

<postparser>

<class>org.zaproxy.zap.model.StandardParameterParser</class>

<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

</postparser>

<authentication>

<type>2</type>

<loggedin>\Q&lt;font color=red&gt;こんにちは&lt;/font&gt;&lt;BR&gt;&lt;BR&gt;\E</loggedin>

<form>

<loginurl>https://XXXXXX/YYYYYY/keitai/index.php</loginurl>

<loginbody>seq={%username%}&amp;post_para=&amp;pass={%password%}&amp;mode=login&amp;__ncforminfo=PwqGAhBGJIYqAFH4DYn1NHX1PBzZbj8rY7OhlDxQx3Ss84nWXZZVkXkPPP5ZEumaU-SP0cUTHypekhV44_Eqn7n7GtZcVon69vx_iWPdkLmcD5TbWo0W6tIRTjFJJcAN</loginbody>

</form>

</authentication>

<users>

<user>1;true;dXNlcm5hbWU=;2;MzI0MDAwODY4~MTIyMQ==~</user>

</users>

<forceduser>1</forceduser>

<session>

<type>0</type>

</session>

<authorization>

<type>0</type>

<basic>

<header/>

<body/>

<logic>AND</logic>

<code>-1</code>

</basic>

</authorization>

</context>

</configuration>

Thank you,

keides2

2015年9月28日月曜日 20時50分40秒 UTC+9 Simon Bennetts:

[hauschu...@gmail.com]

You are right, the spider won't log in unless you set Forced User Mode! 

[keides2]

Thank you for your reply.

I have set to forced user mode as follows, though.

<users>

<user>1;true;dXNlcm5hbWU=;2;MzI0MDAwODY4~MTIyMQ==~</user>

</users>

<forceduser>1</forceduser>

2019年3月11日(月) 17:27 <hauschu...@gmail.com>:

You are right, the spider won't log in unless you set Forced User Mode! 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2e5dcb4c-d7a7-4225-9641-b5a66bba332e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[hauschu...@gmail.com]

Great!

Once you have applied the steps Simon mentions above, if you still have a problem, take a screenshot of what it is doing and the errors you see. If you are not using the UI, I recommend using the UI during the setup and tuning process because it is much easier to troubleshoot. 

[keides2]

Sorry for my late reply.

I will send you images when the username and password used for login become ZAP, and an image of the session properties (authentication) at that time.

Thank you,

Keides2
2019年3月11日月曜日 20時22分45秒 UTC+9 hauschu...@gmail.com:

[hauschu...@gmail.com]

It looks setup correctly from what I can see. You also need to click on the lock icon to enable forced user mode! (the option in the session just defines it....it doesn't turn it on)

[kingthorin+owaspzap]

Are you sure your logged in indicator is working?

[keides2]

Thank you for your advice!

Certainly this image is unlocked, but it was locked when trying out variously.

When I create a new session and try out the spider's start position and context, it may seem that login is successful.

However, I do not know how to redo correctly to operate correctly.

2019年3月15日(金) 16:29 <hauschu...@gmail.com>:

It looks setup correctly from what I can see. You also need to click on the lock icon to enable forced user mode! (the option in the session just defines it....it doesn't turn it on)

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f8abba2d-b0f4-44b4-a467-f4992c53f645%40googlegroups.com.