write/debug authentication script

225 views
Skip to first unread message

dave zuul

unread,
Apr 28, 2021, 3:16:20 AM4/28/21
to OWASP ZAP Developer Group
Hello all,

I'm still trying to write an Oauth2 authentication script with Zap.
I first try a Zest script to get the structure of all needed requests/responses but now I want to write it in another language more adaptable.
So I began to create a new "Authentication Script" via the scripts tab and call it from a context with needed parameters. Then, this is a step by step work to test each request/response.
I can get it, even if this is a little laborious but I only find one way to call my script an it's by invoking spider on the context but it seems that it invokes the authentication script only once. If Spider is relaunch, then my authentication script is not invoke again...

Do you have any advice to debug an authentication script?

thanks a lot

Dave
 

psiinon

unread,
Apr 28, 2021, 4:36:30 AM4/28/21
to OWASP ZAP Developer Group
Have a look at https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/ especially the "Diagnosing Problems" section - this really applies to all authentication now just form based.
I've also recorded a load of videos related to authentication, all linked off https://www.zaproxy.org/videos/

If you have any more questions then just ask here :)

Cheers,

Simon

dave zuul

unread,
May 4, 2021, 11:46:51 AM5/4/21
to OWASP ZAP Developer Group
Hello Simon,
Thanks a lot, it helped. I did already watch your videos "Zap in Ten" but it was in the middle of plenty of informations so i missed something. My mistake was that I had to configure first the "authentication Logged in indicator" within the context to allow my script beeing executed. 
my multi steps (a lot) authentication script is now working. I will now try to invoke Zap with context and script via a docker instance and I've seen a recent discussion of that subject so this is great.

Thanks again, i'm moving forward.

Dave

dave zuul

unread,
May 17, 2021, 10:19:36 AM5/17/21
to OWASP ZAP Developer Group
Hello, 

my "multi redirect Oauth2 Auth script" is now working in ZAP UI !! 

I have to integrate that on a GitLab CI now so, I've exported my context, added the authentication script and launched a docker image with command script : 
zap-baseline.py -t https://mytarget -I -n target.context -m 10 -T 60 -U test r ./report.html --hook=hook.py \
-z "-config script.scripts.name=auth_peconnect -config script.scripts.engine='Oracle Nashorn' -config script.scripts.enabled=false -config script.scripts.type=authentication -config script.scripts.file=/zap/wrk/scripts/authentication/peam.js"

the context is loaded and the script is founded. The hook file is just to list "zap.spider.all_urls" to be sure what is crawled by the spider. 

So the spider is returning no error, my target script is crawled but the authentication script is not executed. 

Do you know if there is a "config" parameter to implement the equivalent of the UI padlock "forced user mode" option ?

do you have another idea to help me find why my authentication script is not executed? 

(to validate everything's ok, i use the ZAP UI with a new session, I load the context, lock the option "forced user mode" and launch a spider from the top of target... the script is launched and the authentication is validated.)

thanks a lot,

Dave

dave zuul

unread,
May 17, 2021, 11:29:20 AM5/17/21
to OWASP ZAP Developer Group
Hello again, 

I've tried a hook to force user mode but it doesn't change the behaviour : 

def zap_spider(zap, target): 
     zap.forcedUser.set_forced_user_mode_enabled('true')

psiinon

unread,
May 17, 2021, 11:35:51 AM5/17/21
to OWASP ZAP Developer Group
If you have set up authentication correctly then you should not need to use Force User Mode, supplying the context and specifying the user will be enough for ZAP to spider using that user.
This implies something is wrong with your configuration :/
Are there any errors in the zap.log file?

Cheers,

Simon

dave zuul

unread,
May 17, 2021, 2:25:09 PM5/17/21
to OWASP ZAP Developer Group
thanks Simon, good advice i will remember : 

there is an error in my authenticate Nashorn script only in the context of docker command line : 

can't unambiguously select between fixed arity signature string/char[] while invoking new URI() object... 

I'll look at this error tomorow... it's not immediate for me how to force/cast in Nashorn JS language...

thanks again. 

Dave

David Opter

unread,
May 18, 2021, 4:38:01 AM5/18/21
to zaproxy...@googlegroups.com
i think it works... 
thats confusing because the authenticate process is in a different domain (which is also included in the context) but i can't see zap crawling to that domain unless in the zap.log with level=Debug in log4j2.properties... even if i list all urls from "zap.spider.all_urls". 
I have to find a way to be sure the authentication process did well... is it possible to redirect script output to zap console/log file ?

thanks again,

Dave

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/ma3ZTgRQ2bk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/9b8d1ee7-1352-4c52-9e0d-5d5585890198n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages