ZAProxy and Set-Cookie

[evangeline eleanor]

Hi,

I'm trying to spider a website, which is in my domain and requires login. I've bypassed the needed login mechanism by allowing everybody to login to the page, but there are some redirections occurring, which set the right cookie for login to be successful. Basically I changed the application so that it gives administrator cookie to everyuser visiting a page. This is just for testing purposes, so don't be alarmed.

The

GET http://127.0.0.1/myadmin.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)
Pragma: no-cache
Cache-control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-length: 0
Host: 127.0.0.1
Cookie: mylogged=myadmin%7Ce0566b4d7d9b8b7ba0b995488; mysession=1369900224


HTTP/1.1 302 Found
Server: Apache
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: http://127.0.0.1/mylogin.php?redirect=http://127.0.0.1/myadmin.php

Set-Cookie: mylogged=myadmin:75c246cb3417a2e6877e19b19cb6a264

Set-Cookie: domain=localhost
Content-Length: 0
Content-Type: text/html

After that the following code is called:

protected void processURL(HttpMessage message, int depth, String localURL, String baseURL) {
// Build the absolute canonical URL
String fullURL = URLCanonicalizer.getCanonicalURL(localURL, baseURL);
if (fullURL == null) {
return;
}

log.info("Canonical URL constructed using '" + localURL + "': " + fullURL);
notifyListenersResourceFound(message, depth + 1, fullURL);
}

67988 [pool-2-thread-3] INFO org.zaproxy.zap.spider.parser.SpiderParser - Canonical URL constructed using 'http://127.0.0.1/mylogin.php?redirect=http://127.0.0.1/myadmin.php' : http://127.0.0.1/mylogin.php?redirect=http://127.0.0.1/myadmin.php

The problem is that the cookies in the 302 response are not being stored and sent in further requests. I have two questions:

1. Any ideas whether this is true or am I missing something above?

2. Is there any way to dynamically access the cookie store/manager and add cookies which are sent in every request to the web server? I could solve the problem by setting the cookies manually from my python script that I'm writing. 

Thank you

[thc202]

Hi.

What are exactly the steps that you're doing?
Are you using the GUI or the API?


Regarding your questions:
1. That's true but only if ZAP is not configured to manage the HTTP sessions.

2. You don't need to add the cookies manually as ZAP will manage the cookies once configured to so. It can be done by using the "httpSessions" API. Though it's not available (yet) as a class in Python API client it can be "called" manually.

Best regards.

[evangeline eleanor]

Hi,

I'm using GUI, but will eventually switch to API, just making sure everything works before I do. 

I would like to do the following: let's talk about the WP site, which behaves exactly like my internal web site (for easier conversation). 

What I would like to do with a python script using ZAP API is the following:

1. Login to the wp-admin/ Wordpress website, which would set appropriate cookies in ZAP.

2. Run the ZAP spider.

3. Return results from ZAP spider.

Can you walk me through how to do that? Did you mean that "httpSessions" API is not  yet available in GUI but is available in API? 

So far I've logged into the WP website (through ZAP) with "Enable session tracking" enabled: this should store all the cookies and use them in all subsequent requests. When I run spider, it didn't sent those cookies to the website, therefore the restricted area of the Wordpress application was not spidered.

Any idea how to turn that on?

Thank you

[thc202]

Hi.

Sorry for taking so long to answer.

The option "Enable session tracking" manages (store/send) the cookies but is (a little) buggy [1] so it's better to avoid its use whenever possible (also note that the cookies should be disabled in the browser when using the option or else the cookies will be sent twice, added once by the browser and another by ZAP).

Using:
ZAP 2.1.0;
WordPress 3.5.1 under "http://localhost/";
A browser proxying through ZAP.

Steps to spider the admin section of WP using GUI:
1. Run ZAP;
2. (browser) Access the admin page ("http://localhost/wp-admin/") and login;
3. (ZAP) Select the "Params" tab and flag the cookies "wordpress_XYZ" and "wordpress_logged_in_XYZ" as session tokens (where XYZ is the MD5 hash of the WP option "siteurl");
4. (browser) Access another admin page (example: "http://localhost/wp-admin/edit.php") (this step is to ensure that the ZAP session will have the cookies previously flagged as session tokens);
5. (ZAP) Select the "Http Sessions" tab and check that there's a session with the two cookies previously flagged, set it as active;
6. (browser) Disable (and remove) the cookies and access (again) an admin page (example: "http://localhost/wp-admin/edit.php") it should access without requiring authentication (this step is to ensure that ZAP's active session has access to admin pages);
7. (ZAP) Exclude from spider the login page ("\Qhttp://localhost/wp-login.php\E.*") and profile ("\Qhttp://localhost/wp-admin/profile.php\E.*") pages (this is to ensure that the spider doesn't login/logout or change the password);
8. Start the spider;
9. Wait to finish and check the results.

Let me know if you've any question regarding the steps.

Using:
ZAP 2.1.0 (listening on port 8080);
WordPress 3.5.1 under "http://localhost/";
python-owasp-zap-v2-0.0.6.

Example Python script to spider the admin section of WP:

#!/usr/bin/env python

import time
import os
import subprocess
import hashlib
import urllib
from pprint import pprint
from zapv2 import ZAPv2

print 'Starting ZAP.'
subprocess.Popen(['/path/to/zap.sh', '-daemon'], stdout=open(os.devnull, 'w'))
print 'Waiting for ZAP...'
time.sleep(20)

zap = ZAPv2()

target = 'http://localhost/'

zap.urlopen(target)

cookie_hash = hashlib.md5('http://localhost').hexdigest()
zap.httpsessions.add_session_token('localhost:80', 'wordpress_' + cookie_hash)
zap.httpsessions.add_session_token('localhost:80', 'wordpress_logged_in_' + cookie_hash)

zap.httpsessions.create_empty_session('localhost:80')
zap.httpsessions.rename_session('localhost:80', 'Session 0', 'WP Admin')

zap.httpsessions.set_active_session('localhost:80', 'WP Admin')

login_data = {'log': 'admin', 'pwd': 'ZAP'}
zap.urlopen(target + 'wp-login.php', urllib.urlencode(login_data))

zap.spider.exclude_from_scan('\Q' + target + 'wp-login.php\E.*')
zap.spider.exclude_from_scan('\Q' + target + 'wp-admin/profile.php\E.*')


print 'Spidering target %s' % target
zap.spider.scan(target)

# Give the Spider a chance to start
time.sleep(2)
print 'Status %s' % zap.spider.status
while (int(zap.spider.status) < 100):
    print 'Spider progress %: ' + zap.spider.status
    time.sleep(5)

print 'Spider completed'
print 'Results: '
pprint(zap.spider.results)

print 'Shutdown ZAP'
zap.core.shutdown

Regarding the "httpSessions" API it wasn't available in the Python client API but there's a new version (0.0.6) which already have it.

Let us know how it went.


[1] https://code.google.com/p/zaproxy/issues/detail?id=15

Best regards.