ZAP API Authentication issues

[zapro...@gmail.com]

Hi.

We am trying to use ZAP's API to spider a site as part of an automation project in Java. We're using:

1. API ver - 2.8
2. ZAP ver - 2.3.0.1
3. Java ver - 7

We're trying to accomplish:

1. Start ZAP
2. Spider site.
3. Run Report.

We can do all the above no problem, but the spider only reaches pages that don't require authentication and the problem is we cannot authenticate ZAP via it's API.

We've examined loads of other topics in this forum but cannot get anything working yet. Can you guys kindly show us where we're going wrong. We've tried lots of different approaches in Java and the current one I'm working on is this:

       ClientApi api = new ClientApi("localhost", 8023);
        Authentication authApi = new Authentication(api);

        String contextId = "1";
        String loginUrl = WEBSITE;
        String loginRequestData = "username={%username%}&password={%passwd%}";

        StringBuilder formBasedConfig = new StringBuilder();
        formBasedConfig.append("loginUrl=").append(URLEncoder.encode(loginUrl, "UTF-8"));
        formBasedConfig.append("&loginRequestData=").append(URLEncoder.encode(loginRequestData, "UTF-8"));
       
        System.out.println("Setting form based authentication configuration as: " + formBasedConfig.toString());
        authApi.setAuthenticationMethod(apiKey, contextId, "formBasedAuthentication", formBasedConfig.toString());
       
        // Check if everything is set up ok
        System.out.println("Authentication config: " + authApi.getAuthenticationMethod(contextId).toString(0));
       
        final Spider spider_url = new Spider(api);
        spider_url.optionSkipURLString();
        spider_url.setOptionSkipURLString(apiKey, WEBSITE);
        spider_url.scan(apiKey, "WEBSITE");
       
        while(true)
        {
//            System.out.print(spider_url.status().toString(0));
           
            if (spider_url.status().toString(0).contains("100"))
                break;
        }
       
        int counter = 1;
        File ReportFile = new File("Report.txt");
        BufferedWriter writer = null;

        try {
            writer = new BufferedWriter(new FileWriter(ReportFile));
        } catch (IOException e) { e.printStackTrace(); }
       
        while (true)
        {
            try
            {
                List<Alert> s = api.getAlerts("", 0, counter++);
                System.out.println(s.get(counter-2));
                try {
                    writer.write(s.get(counter-2).toString());
                } catch (IOException e) { e.printStackTrace(); }
            }
            catch (IndexOutOfBoundsException ex)
            {
                break;
            }
        }
       
        System.out.println("\n\nDone");

[Stephen de Vries]

> We're trying to accomplish:
>
> 1. Start ZAP
> 2. Spider site.
> 3. Run Report.

As a work-around, you could authenticate using Selenium through ZAP. This has the added benefit that you can do more complex navigation and filling out of forms with Selenium steps, before invoking ZAP’s spider.

Here’s an example project that implements the following workflow https://github.com/continuumsecurity/zap-webdriver :

1. Create Selenium browser that’s configured to use ZAP as a proxy
2. Login to the app and navigate using Selenium steps
3. Invoke ZAP’s spider
4. Invoke ZAP’s scanner
5. Fail tests based on scanner output

> --
> You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[zapro...@gmail.com]

Thanks for the swift response stephendv.

We tried the selenium approach weeks ago and abandoned it because it wasn't working for us - In code we used webdriver to login to the site and then kick off the spider. Still, pages that required authentication didn't show up. We cannot pass the authenticated session over to ZAP.

Do you mean that if instead of just logging in using selenium we need to navigate through the whole site before getting ZAP to spider it? What about ZAP's authenticated session?

Thanks & Regards.

[zapro...@gmail.com]

Oh by the way I cannot access github from where I am right now.

[thc...@gmail.com]

Hi.

To spider as an user you need to call the method Spider.scanAsUser or
spider as usual but enable "Forced User" mode first.

There's an example, using the Java API client, on how to set up the
authentication [1] to later use in spider, active scanner...


P.S. Consider updating ZAP to 2.3.1 as it has some bugs fixed.

[1]
https://code.google.com/p/zaproxy/source/browse/trunk/src/org/zaproxy/clientapi/examples/AuthenticationApiExample.java

Best regards.

[Stephen de Vries]

> On 12 Jan 2015, at 12:26, zapro...@gmail.com wrote:
>
> We tried the selenium approach weeks ago and abandoned it because it wasn't working for us - In code we used webdriver to login to the site and then kick off the spider. Still, pages that required authentication didn't show up. We cannot pass the authenticated session over to ZAP.

…and you configured webdriver to use ZAP as a proxy while doing the login? This must work, because it’s how the spidering and scanning work if you just use an actual browser instead of webdriver.

> Do you mean that if instead of just logging in using selenium we need to navigate through the whole site before getting ZAP to spider it?

You don’t have to, but you can. Depends on how complex your site is, but many of the sites I test have forms that only accept very specific data, and if you don’t submit that form then you don’t get to see the next page in the workflow. Webdriver is very useful for those types of sites.

> What about ZAP's authenticated session?

I’ve not used ZAP’s integrated login feature, so can’t comment.


regards,
Stephen

[zapro...@gmail.com]

Hi thc202.

I tried to setup the code in eclipse but I get the following error:

Exception in thread "main" org.zaproxy.clientapi.core.ClientApiException: Invalid or missing API key (bad_api_key)
    at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
    at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
    at org.zaproxy.clientapi.gen.Authentication.setAuthenticationMethod(Unknown Source)
    at AuthenticationApiExample.setFormBasedAuthenticationForBodgeit(AuthenticationApiExample.java:123)


This is causing the error - authApi.setAuthenticationMethod(null, contextId, "formBasedAuthentication", formBasedConfig.toString());

I checked the API which indicates this function only takes 3 parameters and not 4-

setAuthenticationMethod(String contextid, String authmethodname, String authmethodconfigparams) - 

As you can see above, the code that's throwing my error is taking 4 parameters, not 3. And where can I give the code with my API key? I'm probably missing something obvious!

Thanks & Regards.

[zapro...@gmail.com]

Hi stephendv.

"and you configured webdriver to use ZAP as a proxy while doing the login?" <--- We have not done this, I did a quick search for some sample code to do this but found nothing usefull. Would you have anything in python or java (preferrably both) for this?

Thanks & Regards.

[Stephen de Vries]

> On 12 Jan 2015, at 16:31, zapro...@gmail.com wrote:
>
> "and you configured webdriver to use ZAP as a proxy while doing the login?" <--- We have not done this, I did a quick search for some sample code to do this but found nothing usefull. Would you have anything in python or java (preferrably both) for this?

Yes, I have a whole project with this already set up on the github link I posted earlier. (I’ll send you a zip of the project directly to your mail if you can’t access github)

[zapro...@gmail.com]

Thanks a million for taking the trouble to do that for us!

It's appreciated!

[thc...@gmail.com]

Hi.

The signature of the methods for API actions were changed to allow to
send the API key (which is now the first argument of those methods).

Just replace the first argument with your API key and the action should
be accepted.

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com

> <mailto:zaproxy-devel...@googlegroups.com>.