Python / Authentication / Wordpress Authentication Script

[Cosmin Stefan-Dobrin]

Hi,

A while back I've worked on an Authentication Script for Wordpress websites. I've needed this because there was a major issue introduced by the weird/stupid way in which session cookies are handled by Wordpress:

• The path they set on the session cookies is illegal according to the standard. The web browsers ignore this and use the cookies anyway, but the Apache Commons HttpClient used in ZAP really cares about this (probably the only one who does it) and simply ignores the "invalid" cookies [0] , [1].

The only "hacky" way that I managed to make it work was to create an Authentication Script that sends the authentication request and then manually force adds the "invalid" cookies to the HttpState anyway.

I've attached the script. To use it, you need to:

1. Import the script in ZAP via Script Console (You need the Python scripting addon as this script is written is Python)
   
2. Set the following parameters:
3. Set the Authentication method to Script-Based and load the script
• Domain: The domain (without protocol). E.g.: example.com
• Path: The path, with a '/' at the end, in which the app is found. E.g.: /wp/
• The parameters must chosen such that: "http://" + domain + path + "wp-login.php"  is the uri of the login page
4. Set the Logged In indicator as you did before: \Qwp-login.php?action=logout\E
   
5. Create the admin user normally
6. Enable Forced Mode via UI toolbar button
7. Navigate to: http://example.org/wp/wp-admin (or whatever the uri is)

I'll also try to convert this to Javascript and include it as a core template/example.

[0] - http://stackoverflow.com/questions/4291241/java-htmlunit-cant-login-to-wordpress
[1] - http://stackoverflow.com/questions/874903/how-can-i-force-javas-httpclient-to-accept-invalid-cookies

Hope it helps. Cheers,

Cosmin

[psiinon]

Nice one!