Set Cookie with ZAP python API

[Abhay Bhargav]

Hi

I am attempting to perform an authenticated spider + scan in ZAP, using the python api. I tried the authentication mode, in vain (didnt work). Now, I am attempting to use python's requests library to fetch the authenticated cookie and use that cookie for scanning using zap's httpsessions object. However, I find that while the tokens are set, they are not used for the spidering and scanning process. Any help would be greatly appreciated!

My code is as follows:

from zapv2 import ZAPv2

import time

from pprint import pprint

import requests

import json

#requests login session: 

target = 'https://www.testsite.com'

login_req = requests.Session()

header_str = {'Accept': 'text/json', 'Referer': 'https://www.testsite.com/signin', 'X-Requested-With': 'XMLHttpRequest', 'X-Prototype-Version': '1.6.0_rc0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0'}

data_str = {'email': 'user...@user.com', 'password': 'mypassword', 'persistent_login': 't', "service": "", "caller": "homepage", "source": "ui", "action_type": "", "trip_ref": ""}

post = login_req.post('https://www.testsite.com/externalapi/signin', data = data_str, headers=header_str)

cookies = login_req.cookies.get_dict()

zap = ZAPv2()

zap.httpsessions.create_empty_session(target, apikey='somekey')

zap.httpsessions.rename_session(target, 'Session 0', 'abhayb...@gmail.com',apikey='somekey')

zap.httpsessions.set_active_session(target, 'abhayb...@gmail.com', apikey='somekey')

for key,value in cookies.items():

    key_value_concat = "%s=%s;" % (key,value)

    zap.httpsessions.add_session_token(target, key_value_concat, apikey='somekey')

    

for token in zap.httpsessions.session_tokens(target):

    print token

zap.spider.scan(target,apikey='somekey')

time.sleep(2)

while(int(zap.spider.status()) < 100):

    print 'Spider Progress: ' + zap.spider.status() + "%"

    time.sleep(1)

    

print zap.spider.results()

    

print 'Spider Completed....'

[psiinon]

Ok, I'm no python expert, but I'll try to explain how I think you should be doing this and then you can see if you need to change your code ;)

I think you should be:

1. Authenticating to your app (as now) but proxying through ZAP (this is important)
   
2. Checking that ZAP has detected the session, then renaming it (if you want to)
3. Set that as the active session
4. Start spidering, active scanning etc

I dont think manually changing a new ZAP session is likely to work.

Does that help?

Let us know how you get on.

Cheers,

Simon

[Abhay Bhargav]

@psiinon - I have successfully proxied the initial authentication request through ZAP and that's working, but the spider still does not work in authenticated mode. 

Which of the functions (in httpsessions) should I use to set the current session as the valid session? 

I think if I crack that problem, I would have sorted this out. 

Thanks

[psiinon]

I _think_ you should just need:

zap.httpsessions.rename_session(target, 'Session 0', 'abhayb...@gmail.com',apikey='somekey')

zap.httpsessions.set_active_session(target, 'abhayb...@gmail.com', apikey='somekey')

You dont actually _need_ the rename, but it also shouldnt hurt if you use the right name everywhere.
I'd check that there is one ( and only one) session after doing your proxied authentication.
And dont create a new httpsession.

Let us know if that works!

Simon

[Abhay Bhargav]

@psiinon

Unfortunately, still doesnt work. It still spiders without the session token, even though the authentication request is clearly successful and shows up in ZAP as well. However, in subsequent requests, it doesnt work. 

[Stephen de Vries]

I would troubleshoot this without the API first:  Do exactly the same steps manually using a browser and the ZAP GUI, see if it works.  Check that the HTTP traffic is identical to what you’re seeing when you use the API.  If it’s not identical, then what’s different and why?

Once it’s working manually, then continue to use a real browser proxied through ZAP and use your python script to control ZAP, e.g. put a readline or delay in your script to give you time to perform the browser actions manually.  

Once that’s working, then swap out whatever you doing with the browser with pythons HTTP library.  Personally I prefer using actual automated browsers rather than raw HTTP requests, e.g. webdriver or similar as it’s getting more and more difficult to simulate traffic without a proper HTML/JS renderer.

regards,

Stephen

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[psiinon]

Very good advice.
We should put this in a FAQ ;)

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[Abhay Bhargav]

Dear Stephen 

Thanks a lot for the advice. Let me give it a shot and get back to you. I toyed with the idea of using selenium, but I thought this would be lighter. Nevertheless, I agree with you. Lemme give it a go. 

[Abhay Bhargav]

@psiinon and Stephen

The advice worked really well! Thanks :)

[Van Trinh]

Hello Abhay,

It's almost 2 years after your posting the issue, but unfortunately, I'm running into the same one and cannot find a way to resolve it. 

My problem is slightly different from yours where the authentication on my site is via OAuth. For testing, I used API GUI to set session tokens (equivalent to your Python API) but it didn't seem to pick up the session token for use during spider run. 

Any help would be much appreciated.

Thanks,

Van