ZAP - Flag as Context Query (Re-post)

[Praveen Kanniah]

Hello,

1. For ZAP QA Automation, I'm trying the following:

Setting Context and Authentication method through API calls

I'm able to include URLs in the Context

I'm able to set Authentication Method to Form-based

But i don't find an option to set "Flag as Context" ? I only find Logged In Indicator and Logged Out Indicator. Does that mean ZAP will find the request based those ? 

And then set the UserName and Password through Users API ? 

2. For the Sequence Add on, Are there API Calls that can be made ? The context here is that, i'm trying to create a 100 % automated environment running my QA test cases and then the ZAP scan on top of it 

3. In a scenario while running QA Test cases, every time the flow is authenticated prior to running a new test case, there are multiple sessions that are created. Is there a rule or best approach as to which session to select as "Flag as Context for Authentication.

Thanks,

Prav

[psiinon]

Flag as Context what? ;)
Have a look at this FAQ and let us know if it doesnt help: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
You may find it easier to set up the Context via the UI, export it and then import it via the API when needed :)

I'm afraid the Sequence add-on doesnt have any API calls at the moment.
However you should be able to manage sequence scripts, so you might still be able to do what you want.
What kind of things do you need to do?

For authenticated scanning make sure that the authentication and users are set up right and then use the spider and ascan 'scanAsUser' calls.
I'd actually recommend running this via the UI first and manually checking that the requests are authenticated.
We need to provide better feedback to allow users to tell if authenticated scans look like they are working.

Cheers,

Simon

[Praveen Kanniah]

Hi Simon,

Sorry, if i confused too much :) 

Basically, I have a dynamic URL as my authentication URL, which is i have a sessionid which is a URL param and my parameters in the POST data are also dynamic, when i mean dynamic POST i'm not just talking about CSRF token but other parameters. 

So the problem here is, i cannot use the Form based Authentication via APIs since the URL and POST data are changing ! 

And i'm trying to automate this approach.

[psiinon]

Hi Praveen,

In that case you'll need to use script based authentication: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication#script-based-authentication

Have a go at that and ask here if you have any problems setting it up.

Cheers,

Simon

[thc...@gmail.com]

There's an authentication script in issue 2093 that might help doing that.
It should be straightforward to add more dynamic fields (and URL).


[1] https://github.com/zaproxy/zaproxy/issues/2093

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Praveen Kanniah]

Thank you Simon and Thc202 ! I will take a look at it right away ! 

1. My scenario is i have a login URL, which will in turn send back another dynamic URL.

LOGIN REQUEST 1:

GET https://abc.com?&POSTDATA1=value&POSTDATA2=value&POSTDATA3=value

RESPONSE DYNAMICPARAM=dynamic value

2. The dynamic URL will pick some info from the response of the previous Login URL and generate some client side info and send back a new request.

LOGIN REQUEST 2:

POST https://abc.com?&DYNAMICPARAM=vaue(from the previous response)

POST DATA: USERNAME=value, PASSWORD=value, POSTDATA1=value&POSTDATA2=value&POSTDATA3=value  (from the previous request), NEW POST DATA=clientsideinfo

4. In this case, do i need to modify this script or can i use it as is ? 

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/j19TiYpQRCo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.

[Praveen Kanniah]

And more importantly, its has Cookies and Header parameters to get a successful authentication. How do i provide them as well ? 

> an email to zaproxy-develop+unsubscribe@googlegroups.com
> <mailto:zaproxy-develop+unsub...@googlegroups.com>.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/j19TiYpQRCo/unsubscribe.

To unsubscribe from this group and all its topics, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[Ncoder]

Tried and it works like a charm :) 

All im stuck at is when configuring it through the API, It has two params, one is the name of the script and the other being scriptConfigParams.

Do i append the scriptConfigParams one by one or do i combine the inputs and provide as one single string ?