Authentication script problem, Application gets logged out even after excluded the logout page in context
285 views
Skip to first unread message
Thoni A
Mar 29, 2021, 1:01:50 PM3/29/21
to OWASP ZAP User Group
HI All,
I am facing a problem with authentication.
I created a app_auth.js script and loaded the script with parameters in the context.
enabled the forced user mode and open a page in the target app the script runs and launches a browser and looged-in to application.
Here after logging in to application, When I click logout button of my application its logging out even after I excluded the logout page in exclude in context, forced user mode is enabled.
enabled the forced user mode and open a page in the target app the script runs and launches a browser and looged-in to application.
Here after logging in to application, When I click logout button of my application its logging out even after I excluded the logout page in exclude in context, forced user mode is enabled.
Can you provide the solution, how to avaoid the logout of application even after excluded the logout page in exclude in context, forced user mode is enabled?
can you point out if any mistake in my script?
Below is the app_auth.js script:
var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
var URI = Java.type('org.apache.commons.httpclient.URI');
var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
var Cookie = Java.type('org.apache.commons.httpclient.Cookie');
var By = Java.type('org.openqa.selenium.By');
var Thread = Java.type('java.lang.Thread');
var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
var URI = Java.type('org.apache.commons.httpclient.URI');
var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
var Cookie = Java.type('org.apache.commons.httpclient.Cookie');
var By = Java.type('org.openqa.selenium.By');
var Thread = Java.type('java.lang.Thread');
var extSel = org.parosproxy.paros.control.Control.getSingleton().
getExtensionLoader().getExtension(
org.zaproxy.zap.extension.selenium.ExtensionSelenium.class)
getExtensionLoader().getExtension(
org.zaproxy.zap.extension.selenium.ExtensionSelenium.class)
function authenticate(helper, paramsValues, credentials) {
print("Authenticating via JavaScript script...");
//var msg = helper.prepareMessage();
var wd = extSel.getWebDriverProxyingViaZAP(5, "firefox");
wd.get("https:app/login");
Thread.sleep(1000);
wd.findElement(By.name("username")).sendKeys(credentials.getParam("Username"))
wd.findElement(By.name("password")).sendKeys(encodeURIComponent(credentials.getParam("Password")));
wd.findElement(By.id("tand")).click();
wd.findElement(By.id("signin-submit")).click();
print("Authenticating via JavaScript script...");
//var msg = helper.prepareMessage();
var wd = extSel.getWebDriverProxyingViaZAP(5, "firefox");
wd.get("https:app/login");
Thread.sleep(1000);
wd.findElement(By.name("username")).sendKeys(credentials.getParam("Username"))
wd.findElement(By.name("password")).sendKeys(encodeURIComponent(credentials.getParam("Password")));
wd.findElement(By.id("tand")).click();
wd.findElement(By.id("signin-submit")).click();
var requestUri = new URI("https:app/auth/home.html",false);
var requestMethod = HttpRequestHeader.GET;
var requestHeader = new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP11);
var msg = helper.prepareMessage();
var requestMethod = HttpRequestHeader.GET;
var requestHeader = new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP11);
var msg = helper.prepareMessage();
msg.setRequestHeader(requestHeader);
helper.sendAndReceive(msg);
return msg;
}
}
// This function is called during the script loading to obtain a list of the names of the required configuration parameters,
// that will be shown in the Session Properties - Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getRequiredParamsNames(){
return ["Username_field", "Password_field"];
//return [];
}
// that will be shown in the Session Properties - Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getRequiredParamsNames(){
return ["Username_field", "Password_field"];
//return [];
}
// This function is called during the script loading to obtain a list of the names of the optional configuration parameters,
// that will be shown in the Session Properties - Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getOptionalParamsNames(){
return [];
}
// that will be shown in the Session Properties - Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getOptionalParamsNames(){
return [];
}
// This function is called during the script loading to obtain a list of the names of the parameters that are required,
// as credentials, for each User configured corresponding to an Authentication using this script
function getCredentialsParamsNames(){
//return [];
return ["Username", "Password"];
}
// as credentials, for each User configured corresponding to an Authentication using this script
function getCredentialsParamsNames(){
//return [];
return ["Username", "Password"];
}
// This optional function is called during the script loading to obtain the logged in indicator.
// NOTE: although optional this function must be implemented along with the function getLoggedOutIndicator().
function getLoggedInIndicator() {
return "\\QServer Home\\E"
//return "LoggedInIndicator";
}
// NOTE: although optional this function must be implemented along with the function getLoggedOutIndicator().
function getLoggedInIndicator() {
return "\\QServer Home\\E"
//return "LoggedInIndicator";
}
// This optional function is called during the script loading to obtain the logged out indicator.
// NOTE: although optional this function must be implemented along with the function getLoggedInIndicator().
function getLoggedOutIndicator() {
return "\\QSign In\\E";
}
// NOTE: although optional this function must be implemented along with the function getLoggedInIndicator().
function getLoggedOutIndicator() {
return "\\QSign In\\E";
}
Regards
Thoni
Thoni A
Mar 30, 2021, 1:28:31 PM3/30/21
to OWASP ZAP User Group
Hi All,
Can anyone please provide an update on above question. thank you
Regards
Thoni
kingthorin+owaspzap
Mar 30, 2021, 2:06:11 PM3/30/21
to OWASP ZAP User Group
Exclusions aren't applied to forced user when proxying, proxying in forced user mode simply provides a means to test authentication setup (by accessing a resource that requires you to be logged in and it logging you in). Since you are still manually using a browser there's nothing to prevent you from clicking the logout button. However, if the logout URL is excluded then the scanner and spiders should not access it, unless there are multiple avenues to logout in which case they all need to be excluded. Also if the logout is JavaScript based and not tied to a URL then there's a chance that the Ajax spider may still access it and there's not really a way around that (although I also don't see how a logout could be fully clientside).
Samee Ijaz
Apr 9, 2021, 5:44:09 PM4/9/21
to zaprox...@googlegroups.com
After our javascript script based authentication is ran the
1st window opens and gets authenticated as expected. The 2nd window
that we opened manually after the 1st window has already been
authenticated, keeps refreshing the browser and is throwing the SyntaxError: An
invalid or illegal string was specified. This is failing due to management.js
line 79 and line 55. Does anyone have an idea on why this issue is
occurring/why this window continues to refresh?
Regards
Samee
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/929d14e5-d55a-4bd8-b90e-f2d95b9b54c4n%40googlegroups.com.
Simon Bennetts
Apr 12, 2021, 4:36:48 AM4/12/21
to OWASP ZAP User Group
That error implies that you have the HUD enabled.
Try disabling it.
The HUD will definitely complicate things if you are doing any sort of authentication.
Cheers,
Simon
Samee Ijaz
Apr 12, 2021, 1:28:15 PM4/12/21
to OWASP ZAP User Group
We tried disabling HUD and are still seeing the refreshes occur. Stepping through the exceptions thrown, there are many of them. The screenshot below is the last exception thrown before the page refreshes again. Is there a particular exception or any other factors that would cause this page to continuously refresh? Any insight to resolve the issue is appreciated.
.png?part=0.1&view=1)
Regards
Samee
Samee Ijaz
Apr 13, 2021, 11:37:27 AM4/13/21
to OWASP ZAP User Group
To explain our issue further, the authentication script that is written in JavaScript that uses “wd.get” opens a window and authenticates the user as expected and the page does not continuously refresh as expected. The problem is after this authentication script has completed and the 1st window has been authenticated, we want to run Ajax Spider. Ajax Spider opens a 2nd window with the user logged in. However, this 2nd window keeps refreshing the page and does not allow for Ajax Spider to complete its testing. We are trying to understand why this 2nd window opened by Ajax Spider continues to refresh on its own. The above Web Developer Debugger screenshot is from this 2nd window that keeps refreshing.
Regards
Samee
Regards
Samee
Reply all
Reply to author
Forward
0 new messages