Authentication Tester Failed

[Marco]

Hello,

I'm trying to use the Authentication Tester on my website but it doesn't work properly.

It Says:

Status Failed

Username and Password Field - Identified

Session Handling and Verification have the gray ball.

I don't know why, I used it previously this morning on another website and it worked.

What could be a possible reason?

MC

[psiinon]

Because the websites handle authentication etc in different ways :)

The tester can handle the first one but not the second.

See https://www.zaproxy.org/blog/2023-05-23-authentication-tester/#what-if-it-doesnt-work

If you can give us the sanitized details from the Diagnostics tab then we can take a look at it.

Cheers,

Simon

[Marco]

>>>>>
POST https://example0/ListAccounts
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8

["token0",[]]
>>>>>
GET https://example1/login1.php
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=UTF-8
>>>>>
GET https://example2/ChVDaHJvbWUvMTE2LjAuNTg0NS4xNDASFwm10zUTxgNaTRIFDYOoWz0SBQ3Fk8Qk
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
POST https://example1/login.php
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 302 Found
content-type: text/html; charset=UTF-8
>>>>>
GET https://example1/login1.php
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=UTF-8

[Marco]

I created a context for my website, using the credentials for a user I previously created, then I tried the Spider and it discovered a hidden page (show_profile.php) as expected.

The problem is that in that page there is a button that sends the user to another page (update.php), used to modifying the personal profile, which I know is vulnerable to Reflected XSS, but somehow ZAP doesn't see it.

Also, the page used to modify the profile (update.php) has as response the main page of that website (this redirection should happen only if the user isn't logged)

I thought that it could be a session problem, so I tried the authentication tester, and as I said previously it gives session handling error.

MC

[psiinon]

OK, this looks more like a more traditional app rather than a modern one.

The Tester will work with modern apps better.

Can you tell how session handling works in that app?

Theres nothing in the login response that ZAP can identify which represents a session.

Cheers,

Simon

[Marco]

The session is handled via PHPSESSID=

[psiinon]

As a cookie or ??

Can you see it being set in any of the responses made when the Tester runs?

If its set as a cookie then I would have expected to see it in the diagnostic data :/

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/11cd20a6-8c7e-48e2-8112-3e68351e1873n%40googlegroups.com.

--

ZAP Project leader

[Marco]

Yes it is used as a cookie, I set it with session_start().

Yes, I can see it Only in the login response and in almost every request

MC

[psiinon]

Can you see the cookie in the requests and response _just_ sent by the Authentication Tester?

The reason I'm asking is because the cookie was not shown in the diagnostic data you shared before.

Cheers,

Simon

[Marco]

Hi,

To solve my problem I added a regex pattern to identify Logout messages. I thought it wasn't mandatory!

[psiinon]

So its all working for you now?

You have to supply either a logged-in regex or a logged-out one. ZAP has to have a way to work out whether you are logged in or not.

Cheers,

Simon

[zinw elzl]

Or you can add " Exclude from Context" logout link, etc.

This work for me sometimes, depend how webapp works.

[Marco]

Ok thanks, I didn't think about it.

MC