How to record ZEST script for authentication having CSRF Token
923 views
Skip to first unread message
Prashanth Kumar
Aug 24, 2018, 2:22:43 AM8/24/18
to OWASP ZAP User Group
Hi All,
Thanks,
I have a requirement to record Web app Authentication which has CSRF token in it. Since this is behind OWASP authentication I need to record the script using ZEST. Could you please someone help in how to record the authentication script?
Any help in this will be greatly appreciated. Thank you!
Thanks,
Prashanth
thc...@gmail.com
Aug 24, 2018, 11:28:34 AM8/24/18
to zaprox...@googlegroups.com
Hi.
Make sure that the anti-CSRF token is already known to ZAP [1], then you
just need to record it. [2] Hopefully the recorded script will have the
token automatically set (if not you can do adjustments manually after).
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAnticsrf
[2] https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsZestZest
Best regards.
Make sure that the anti-CSRF token is already known to ZAP [1], then you
just need to record it. [2] Hopefully the recorded script will have the
token automatically set (if not you can do adjustments manually after).
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAnticsrf
[2] https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsZestZest
Best regards.
Prashanth Kumar
Aug 27, 2018, 7:37:45 AM8/27/18
to OWASP ZAP User Group
Hi,
Thanks for the detailed steps. Now I'm able to record the Authentication script. There is no error when you record the HTTP request in the record mode. But, after recording when we reply the same scripts few requests are throwing 401/302 error instead of 200 HTTP status code. Login and Validate user account requests are the success but, after that, the subsequent requests are throwing 401/302 errors. When I compare the HTTP request with Original request there is no change.
net if we reply the recorded script right after recording it f failing. What could be the reason? Are there some settings to be changed? Please confirm...
Thanks,
Prashanth
Prashanth Kumar
Aug 27, 2018, 8:02:22 AM8/27/18
to OWASP ZAP User Group
Attaching the ZAP test results report.
On Monday, 27 August 2018 17:07:45 UTC+5:30, Prashanth Kumar wrote:
Hi,Thanks for the detailed steps. Now I'm able to record the Authentication script. There is no error when you record the HTTP request in the record mode. But, after recording when we reply the same scripts few requests are throwing 401/302 error instead of 200 HTTP status code. Login and Validate user account requests are the success but, after that, the subsequent requests are throwing 401/302 errors. When I compare the HTTP request with Original request there is no change. Please refer the attached ZAP Test results for more information.
Prashanth Kumar
Aug 28, 2018, 7:36:17 AM8/28/18
to OWASP ZAP User Group
Hi,
Thanks,
Prashanth
Vishal Limbani
Aug 21, 2020, 1:22:02 AM8/21/20
to OWASP ZAP User Group
I am facing the same issue, getting an unauthorized issue in a zap. The token is exactly the same which is working well in postman.
If there is any link then please provide the same.
Thanks,
Vishal
kingthorin+owaspzap
Aug 21, 2020, 10:31:52 AM8/21/20
to OWASP ZAP User Group
Vishal Limbani
Aug 24, 2020, 12:15:29 PM8/24/20
to zaprox...@googlegroups.com, psi...@gmail.com, kingt...@gmail.com
Thanks, I have read thoroughly and got some success.
I have successfully added GET and POST api in the ZEST section but if I am passing the JSON body then there is an error.
what I observed is in the ZEST request sends the api body in plain text and not in JSON format. my application requires a JSON request.
Also tried sending JSON request in body directly but it didn't work. is there any way to provide JSON request in API BODY from ZEST REQUEST option.
@psi...@gmail.com @kingt...@gmail.com: it seems there needs to be an improvement in the zest request option.
Just an FYI: I have checked server logs as well, I am getting bad request error.
Let me know if there are any questions.
Thanks,
Vishal Limbani
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/A6ZKWoogm2w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/f02c97e6-a661-4dff-862b-dacec04a87b5n%40googlegroups.com.
Disclaimer: The information contained in this e-mail is private & confidential and may also be legally privileged. The contents of this mail and any of its attachments are subject to change without notice. If you are not the intended recipient of this mail, please notify us, preferably by e-mail; and do not read, copy or disclose the contents of this message to anyone. Whilst we have taken reasonable precautions to ensure that any attachment to this e-mail has been swept for viruses, e-mail communications cannot be guaranteed to be secure or error-free, as information can be corrupted, intercepted, lost or contain viruses. We do not accept liability for such matter or their consequences.
eri...@augment1security.com
Sep 16, 2020, 12:08:13 PM9/16/20
to OWASP ZAP User Group
Hi all,
For those who might want to get up to speed on Zest, I hope you find these 2 blog posts helpful.
https://augment1security.com/zest/introduction-to-graphical-zest-in-owasp-zap-proxy-part-1/
https://augment1security.com/zest/introduction-to-graphical-zest-in-owasp-zap-proxy-part-2/
https://augment1security.com/zest/introduction-to-graphical-zest-in-owasp-zap-proxy-part-2/
Best
Regards,
Eric W.
https://augment1security.com
Twitter: @aug1sec
Reply all
Reply to author
Forward
0 new messages