Header Based Session Management
398 views
Skip to first unread message
Simon Bennetts
Feb 9, 2023, 4:30:38 AM2/9/23
to OWASP ZAP User Group
ZAP now supports header based session management (using an arbitrary number of headers) c/o the latest Authentication Helper add-on:
Previously you would have had to use a session management script to handle this case.
This is all part of the ongoing authentication improvement work detailed on https://www.zaproxy.org/blog/2023-01-19-authentication-help/#what-is-coming-next
Have a play with it and let us know if you have any problems, questions, or suggestions.
Many thanks,
Simon
Message has been deleted
Johny White
Feb 28, 2023, 4:53:11 AM2/28/23
to OWASP ZAP User Group
Hello Simon! I tried Authentication Helper, it works in regular scans in
UI. But when I try to run through the AF UI, the scan does not run and
my context is reset :(
Johny White
Feb 28, 2023, 5:00:35 AM2/28/23
to OWASP ZAP User Group
I see in logs
2023-02-28 12:57:19,081 [AWT-EventQueue-0] INFO VariantGraphQl - Parsing message body failed: Cannot invoke "Object.toString()" because the return value of "net.sf.json.JSONObject.get(String)" is null
2023-02-28 12:57:25,002 [AWT-EventQueue-0] INFO VariantGraphQl - Parsing message body failed: Cannot invoke "Object.toString()" because the return value of "net.sf.json.JSONObject.get(String)" is null
2023-02-28 12:57:53,022 [ZAP-Automation] ERROR UncaughtExceptionLogger - Exception in thread "ZAP-Automation"
java.lang.NullPointerException: Cannot invoke "String.toLowerCase(java.util.Locale)" because the return value of "org.zaproxy.addon.automation.SessionManagementData.getMethod()" is null
at org.zaproxy.addon.automation.SessionManagementData.initContextSessionManagement(SessionManagementData.java:131) ~[?:?]
at org.zaproxy.addon.automation.ContextWrapper.createContext(ContextWrapper.java:318) ~[?:?]
at org.zaproxy.addon.automation.AutomationEnvironment.create(AutomationEnvironment.java:127) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.runPlan(ExtensionAutomation.java:337) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.lambda$runPlanAsync$2(ExtensionAutomation.java:378) ~[?:?]
at java.lang.Thread.run(Thread.java:833) ~[?:?]
2023-02-28 12:57:19,081 [AWT-EventQueue-0] INFO VariantGraphQl - Parsing message body failed: Cannot invoke "Object.toString()" because the return value of "net.sf.json.JSONObject.get(String)" is null
2023-02-28 12:57:25,002 [AWT-EventQueue-0] INFO VariantGraphQl - Parsing message body failed: Cannot invoke "Object.toString()" because the return value of "net.sf.json.JSONObject.get(String)" is null
2023-02-28 12:57:53,022 [ZAP-Automation] ERROR UncaughtExceptionLogger - Exception in thread "ZAP-Automation"
java.lang.NullPointerException: Cannot invoke "String.toLowerCase(java.util.Locale)" because the return value of "org.zaproxy.addon.automation.SessionManagementData.getMethod()" is null
at org.zaproxy.addon.automation.SessionManagementData.initContextSessionManagement(SessionManagementData.java:131) ~[?:?]
at org.zaproxy.addon.automation.ContextWrapper.createContext(ContextWrapper.java:318) ~[?:?]
at org.zaproxy.addon.automation.AutomationEnvironment.create(AutomationEnvironment.java:127) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.runPlan(ExtensionAutomation.java:337) ~[?:?]
at org.zaproxy.addon.automation.ExtensionAutomation.lambda$runPlanAsync$2(ExtensionAutomation.java:378) ~[?:?]
at java.lang.Thread.run(Thread.java:833) ~[?:?]
Johny White:
Simon Bennetts
Feb 28, 2023, 5:22:16 AM2/28/23
to OWASP ZAP User Group
Is this when running the AF plan in the desktop or from the command line?
Have you defined the Session Management method in your YAML?
Can you share a sanitized version of the env section of your YAML?
Cheers,
Simon
Johny White
Feb 28, 2023, 5:47:48 AM2/28/23
to OWASP ZAP User Group
1. AF on the desktop
2. I expected that ZAP itself would generate the correct yaml based on the context(Desktop).
3. I am attaching the yaml file after generation based on the context, which works if you run a regular spider on the desktop. But the feeling is that AF cannot recognize the Header-based Session Management.
Thank you
2. I expected that ZAP itself would generate the correct yaml based on the context(Desktop).
3. I am attaching the yaml file after generation based on the context, which works if you run a regular spider on the desktop. But the feeling is that AF cannot recognize the Header-based Session Management.
Thank you
Simon Bennetts
Feb 28, 2023, 6:41:36 AM2/28/23
to OWASP ZAP User Group
There is no session management defined in the YAML:
sessionManagement:
parameters: {}
parameters: {}
The code should not NPE, but you will still need to define this correctly.
Did you configure the session management in the desktop first and then create the AF plan from that?
That _should_ work, but we know that the core does need to change to make is easier to make both authentication and session management methods more plugable.
The YAML format for heder based session management is like this:
sessionManagement:
method: "headers"
parameters:
authorization: "{%header:authorization%}"
method: "headers"
parameters:
authorization: "{%header:authorization%}"
You can define any number of headers and use tokens as per https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-header/
Cheers,
Simon
Johny White
Feb 28, 2023, 7:26:15 AM2/28/23
to OWASP ZAP User Group
Yes, I configured the session management first on the desktop and then created a plan from that. But when automatically creating a plan from a properly configured context, the session management field is empty.
I tried to change yaml manually and import it to ZAP Desktop and got the error:
[AWT-EventQueue-0] ERROR CommandLine - Invalid session management method: {method=headers, parameters={authorization={%header:authorization%}}}
ZAP version 2.12.0
AF version 0.24.0
Authentication Helper version 0.2.0
Thanks
I tried to change yaml manually and import it to ZAP Desktop and got the error:
[AWT-EventQueue-0] ERROR CommandLine - Invalid session management method: {method=headers, parameters={authorization={%header:authorization%}}}
ZAP version 2.12.0
AF version 0.24.0
Authentication Helper version 0.2.0
Thanks
UTC+3, psi...@gmail.com:
Simon Bennetts
Feb 28, 2023, 7:40:51 AM2/28/23
to OWASP ZAP User Group
Ah!
My bad - theres an enhancement to support dynamically loaded session management methods in the AF which I thought was released.
I'll look into releasing a new version asap...
Cheers,
Simon
Simon Bennetts
Feb 28, 2023, 8:01:55 AM2/28/23
to OWASP ZAP User Group
OK, AF version 0.25.0 has now been released :)
Can you try that and see if it solves this problem?
Cheers,
Simon
Johny White
Feb 28, 2023, 8:04:13 AM2/28/23
to OWASP ZAP User Group
Johny White
Feb 28, 2023, 8:15:02 AM2/28/23
to OWASP ZAP User Group
Yes, now it's work fine.
Thanks for the help, Simon!
Thanks for the help, Simon!
Zeeshan Ali
Jun 1, 2023, 2:41:39 PM6/1/23
to OWASP ZAP User Group
Hi Simon,
I updated the AF to latest 0.28.0, and i am trying to use the "headers" session management, I am able to load the plan (pasted below) in ZAP UI, however when i click on Run Plan within UI, it fails with error "Invalid SessionManagement "headers"
here is the snip of yaml
---
env:
contexts:
- name: "https://test.net:5000"
urls:
includePaths:
- "https://test.net:5000.*"
excludePaths: []
authentication:
method: "json"
parameters:
loginRequestBody: "{\"user_id\":\"{%username%}\",\"password\":\"{%password%}\"\
}"
loginPageUrl: "https://test.net:5000/sign-in"
loginRequestUrl: "https://test:8443/api/user/login"
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "headers"
parameters:
authorization: "Bearer {%header:authorization%}"
technology:
exclude: []
users:
- name: "zeeshu26"
credentials:
password: "*********"
username: "te...@gmail.com"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
what am i doing wrong here
psiinon
Jun 6, 2023, 5:16:08 AM6/6/23
to zaprox...@googlegroups.com
Have you updated all of the other add-ons?
In particualar the Automation Helper one - thats the add-on which defines header based session management.
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8f182c2f-6dd9-4617-82ff-3dcf9a101c71n%40googlegroups.com.
--
OWASP ZAP Project leader
Reply all
Reply to author
Forward
0 new messages