Script Based Authentication - Does not follow Authentication script interface
617 views
Skip to first unread message
Tamilselvi Jumbu
Nov 17, 2017, 5:26:13 AM11/17/17
to ZAP Jenkins Plugin
Am trying to integrate Script Based Authentication in Jenkins, Following is the setting what I have made in Jenkins
This is the basic script what I have used for (since I was facing "Does not follow Authentication script interface" issue, so I thought of checking for basic script developed based on default template.js template provided in ZAP)
Even using this script am facing the same issue "Does not follow Authentication script interface".
23:28:37 134331 [ZAP-ProxyThread-44] INFO org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script for API:DefaultScript.js
23:28:37 134331 [ZAP-ProxyThread-44] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to load Script Based Authentication method. The script DefaultScript.js does not properly implement the Authentication Script interface.
23:28:37 134331 [ZAP-ProxyThread-44] WARN org.zaproxy.zap.extension.api.API - ApiException while handling API request:
23:28:37 An error has occurred when loading the provided script (bad_script_format) : Does not follow Authentication script interface
23:28:37 at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType$1.handleAction(Unknown Source)
23:28:37 at org.zaproxy.zap.extension.authentication.AuthenticationAPI.handleApiAction(Unknown Source)
23:28:37 at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
23:28:37 at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
23:28:37 at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
23:28:37 at java.lang.Thread.run(Thread.java:748)
23:28:37 ERROR: org.zaproxy.clientapi.core.ClientApiException: An error has occurred when loading the provided script
23:28:37 at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:32)
23:28:37 at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:312)
23:28:37 at org.zaproxy.clientapi.gen.Authentication.setAuthenticationMethod(Authentication.java:78)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.setUpScriptBasedAuth(ZAPDriver.java:1526)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.setUpAuthentication(ZAPDriver.java:1715)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.executeZAP(ZAPDriver.java:1184)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:448)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:436)
23:28:37 at hudson.FilePath.act(FilePath.java:998)
23:28:37 at hudson.FilePath.act(FilePath.java:976)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder.perform(ZAPBuilder.java:292)
23:28:37 at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
23:28:37 at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735)
This is the basic script what I have used for (since I was facing "Does not follow Authentication script interface" issue, so I thought of checking for basic script developed based on default template.js template provided in ZAP)
Even using this script am facing the same issue "Does not follow Authentication script interface".
23:28:37 134331 [ZAP-ProxyThread-44] INFO org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script for API:DefaultScript.js
23:28:37 134331 [ZAP-ProxyThread-44] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to load Script Based Authentication method. The script DefaultScript.js does not properly implement the Authentication Script interface.
23:28:37 134331 [ZAP-ProxyThread-44] WARN org.zaproxy.zap.extension.api.API - ApiException while handling API request:
23:28:37 An error has occurred when loading the provided script (bad_script_format) : Does not follow Authentication script interface
23:28:37 at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType$1.handleAction(Unknown Source)
23:28:37 at org.zaproxy.zap.extension.authentication.AuthenticationAPI.handleApiAction(Unknown Source)
23:28:37 at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
23:28:37 at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
23:28:37 at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
23:28:37 at java.lang.Thread.run(Thread.java:748)
23:28:37 ERROR: org.zaproxy.clientapi.core.ClientApiException: An error has occurred when loading the provided script
23:28:37 at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:32)
23:28:37 at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:312)
23:28:37 at org.zaproxy.clientapi.gen.Authentication.setAuthenticationMethod(Authentication.java:78)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.setUpScriptBasedAuth(ZAPDriver.java:1526)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.setUpAuthentication(ZAPDriver.java:1715)
23:28:37 at org.jenkinsci.plugins.zap.ZAPDriver.executeZAP(ZAPDriver.java:1184)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:448)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:436)
23:28:37 at hudson.FilePath.act(FilePath.java:998)
23:28:37 at hudson.FilePath.act(FilePath.java:976)
23:28:37 at org.jenkinsci.plugins.zap.ZAPBuilder.perform(ZAPBuilder.java:292)
23:28:37 at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
23:28:37 at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:735)
thc...@gmail.com
Nov 17, 2017, 5:55:32 AM11/17/17
to zaproxy...@googlegroups.com
Hi.
Which version of ZAP and Jenkins plugin are you using?
You sure that's the script being loaded? (Maybe Jenkins plugin is using
other ZAP home than the one that the script being modified is in?)
Best regards.
On 17/11/17 10:26, Tamilselvi Jumbu wrote:
> Am trying to integrate Script Based Authentication in Jenkins, Following is
> the setting what I have made in Jenkins
>
>
>
Which version of ZAP and Jenkins plugin are you using?
You sure that's the script being loaded? (Maybe Jenkins plugin is using
other ZAP home than the one that the script being modified is in?)
Best regards.
On 17/11/17 10:26, Tamilselvi Jumbu wrote:
> Am trying to integrate Script Based Authentication in Jenkins, Following is
> the setting what I have made in Jenkins
>
>
>
> This is the basic script what I have used for (since I was facing "Does not
> follow Authentication script interface" issue, so I thought of checking for
> basic script developed based on default template.js template provided in
> ZAP)
> Even using this script am facing the same issue "Does not follow
> Authentication script interface".
>
>
>
> follow Authentication script interface" issue, so I thought of checking for
> basic script developed based on default template.js template provided in
> ZAP)
> Even using this script am facing the same issue "Does not follow
> Authentication script interface".
>
>
>
Tamilselvi Jumbu
Nov 17, 2017, 6:09:02 AM11/17/17
to ZAP Jenkins Plugin
Hi,
Which version of ZAP and Jenkins plugin are you using?
ZAP version - ZAP 2.6.0
Official OWASP ZAP Jenkins plugin - 1.1.0
Official OWASP ZAP Jenkins plugin - 1.1.0
You sure that's the script being loaded? (Maybe Jenkins plugin is using
other ZAP home than the one that the script being modified is in?)
Am getting the script name loaded in the dropdown "Sript" in Jenkins. Also I tried for some other scripts from the same directory. It is picking but no loading.
thc...@gmail.com
Nov 17, 2017, 7:05:53 AM11/17/17
to zaproxy...@googlegroups.com
Are the scripts being correctly loaded when using directly ZAP?
I'd suggest using a weekly release [1] to verify the ZAP home actually
used (it's logged/outputted when ZAP is started), just to make sure.
[1] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
I'd suggest using a weekly release [1] to verify the ZAP home actually
used (it's logged/outputted when ZAP is started), just to make sure.
[1] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
Tamilselvi Jumbu
Nov 20, 2017, 7:05:29 AM11/20/17
to ZAP Jenkins Plugin
Hi,
Sorry for the delay in reverting back.
Yes In ZAP UI, the scripts are being loaded properly (using both weekly release and zap 2.6.0). I have verified the execution of script, whenever authentication is required I could see authentication script getting executed, through script console in ZAP UI. But Jenkins am not able to load the same script.
JordanGS
Nov 20, 2017, 4:51:37 PM11/20/17
to ZAP Jenkins Plugin
Can you attach the script, even if it doesn't work with a random url. I should be able to validate if it's recognizing it on my end or not.
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Tamilselvi Jumbu
Nov 21, 2017, 12:18:21 AM11/21/17
to ZAP Jenkins Plugin
Hi,
Please find the script attached
Attachment 1 : OriginalScript : This is the script which am expecting to work in Jenkins.
Attachment 2: DefaultScript : Since I was facing issue in attaching OriginalScript, I thought of checking for this test script
Please note: I was able to successfully trigger these scripts in ZAP UI and in Script console I could see relevant authenticated messages.
Message has been deleted
Tamilselvi Jumbu
Nov 21, 2017, 12:23:12 AM11/21/17
to ZAP Jenkins Plugin
Hi,
Am not able to attach the scripts here, so pasting the scripts below
1) OriginalScript.js
// The following handles differences in printing between Java 7's Rhino JS engine
// and Java 8's Nashorn JS engine
if (typeof println == 'undefined') this.println = print;
// This authentication script can be used to authenticate in a webapplication via forms.
// The submit target for the form, the name of the username field, the name of the password field
// and, optionally, any extra POST Data fields need to be specified after loading the script.
// The username and the password need to be configured when creating any Users.
// The authenticate function is called whenever ZAP requires to authenticate, for a Context for which this script
// was selected as the Authentication Method. The function should send any messages that are required to do the authentication
// and should return a message with an authenticated response so the calling method.
//
// NOTE: Any message sent in the function should be obtained using the 'helper.prepareMessage()' method.
//
// Parameters:
// helper - a helper class providing useful methods: prepareMessage(), sendAndReceive(msg)
// paramsValues - the values of the parameters configured in the Session Properties -> Authentication panel.
// The paramsValues is a map, having as keys the parameters names (as returned by the getRequiredParamsNames()
// and getOptionalParamsNames() functions below)
// credentials - an object containing the credentials values, as configured in the Session Properties -> Users panel.
// The credential values can be obtained via calls to the getParam(paramName) method. The param names are the ones
// returned by the getCredentialsParamsNames() below
function authenticate(helper, paramsValues, credentials) {
println("Authenticating via JavaScript script...");
// Make sure any Java classes used explicitly are imported
//importClass(org.parosproxy.paros.network.HttpRequestHeader)
//importClass(org.parosproxy.paros.network.HttpHeader)
//importClass(org.apache.commons.httpclient.URI)
var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
var URI = Java.type('org.apache.commons.httpclient.URI');
var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
var Cookie = Java.type('org.apache.commons.httpclient.Cookie');
// Prepare the login request details
requestUri = new URI(paramsValues.get("TargetURL"), false);
requestMethod = HttpRequestHeader.POST;
// Build the request body using the credentials values
extraPostData = paramsValues.get("ExtraPOSTData");
requestBody = paramsValues.get("Usernamefield") + "=" + encodeURIComponent(credentials.getParam("Username"));
//requestBody+= "&" + paramsValues.get("Password field") + "=" + encodeURIComponent(credentials.getParam("Password"));
requestBody+= "&" + paramsValues.get("Passwordfield") + getPassword(helper,getAccessToken(helper),credentials);
if(extraPostData.trim().length() > 0)
requestBody += "&" + extraPostData.trim();
// Build the actual message to be sent
println("Sending " + requestMethod + " request to " + requestUri + " with body: " + requestBody);
msg = helper.prepareMessage();
msg.setRequestHeader(new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10));
msg.setRequestBody(requestBody);
println("msg"+msg);
// Send the authentication message and return it
helper.sendAndReceive(msg);
println("Received response status code: " + msg.getResponseHeader().getStatusCode());
println("msg response"+msg.getResponseHeader());
return msg;
}
function getAccessToken(helper){
// Make sure any Java classes used explicitly are imported
var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
var URI = Java.type('org.apache.commons.httpclient.URI');
var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
var Cookie = Java.type('org.apache.commons.httpclient.Cookie');
requestUri = new URI("https://xxx.yyyy.com/yyyy/clientAgentRequests.asp?Command=Login&Authenticator=stg.internal&LoginUsername=opspamapi&LoginPassword=8jVqh|Qhi(9,pj{@)-zWX", false);
requestMethod = HttpRequestHeader.GET;
msg = helper.prepareMessage();
msg.setRequestHeader(new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10));
helper.sendAndReceive(msg);
response = msg.getResponseBody().toString();
response = response.substring(response.indexOf(";") + 1, response.lastIndexOf(";"));
println("getAccessToken Response = " + response);
return response;
}
function getPassword(helper,accessToken,credentials){
// Make sure any Java classes used explicitly are imported
var HttpRequestHeader = Java.type('org.parosproxy.paros.network.HttpRequestHeader');
var HttpHeader = Java.type('org.parosproxy.paros.network.HttpHeader');
var URI = Java.type('org.apache.commons.httpclient.URI');
var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
var Cookie = Java.type('org.apache.commons.httpclient.Cookie');
// Prepare the login request details
requestUri = new URI("https://xxx.yyyy.com/yyyy/clientAgentRequests.asp?Command=GetPasswordFromStore&AuthenticationToken=" + accessToken + "&SystemName=stg.internal&Namespace=STG&AccountName=" + encodeURIComponent(credentials.getParam("Username")) + "&Comment=APIRecoveryComment", false);
requestMethod = HttpRequestHeader.GET;
msg = helper.prepareMessage();
msg.setRequestHeader(new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10));
helper.sendAndReceive(msg);
response = msg.getResponseBody().toString();
response = response.substring(response.indexOf("=") + 1, response.lastIndexOf(";"));
println("getPassword Response = " + response);
return response;
}
// This function is called during the script loading to obtain a list of the names of the required configuration parameters,
// that will be shown in the Session Properties -> Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getRequiredParamsNames(){
return ["TargetURL", "Usernamefield", "Passwordfield"];
}
// This function is called during the script loading to obtain a list of the names of the optional configuration parameters,
// that will be shown in the Session Properties -> Authentication panel for configuration. They can be used
// to input dynamic data into the script, from the user interface (e.g. a login URL, name of POST parameters etc.)
function getOptionalParamsNames(){
return ["ExtraPOSTData"];
}
// This function is called during the script loading to obtain a list of the names of the parameters that are required,
// as credentials, for each User configured corresponding to an Authentication using this script
function getCredentialsParamsNames(){
return ["Username", "Password"];
}
2) DefaultScript.js
if (typeof println == 'undefined') this.println = print;
println("script");
function authenticate(helper, paramsValues, credentials) {
println("inside auth00");
msg = helper.prepareMessage();
return msg;
}
function getRequiredParamsNames(){
println("inside auth10");
return ["TargetURL", "Usernamefield", "Passwordfield"];
}
function getOptionalParamsNames(){
println("inside auth20");
return ["ExtraPOSTData"];
}
function getCredentialsParamsNames(){
println("inside auth30");
return ["Username","Password"];
Reply all
Reply to author
Forward
0 new messages