Unable to load Script Based Authentication method. The script PRMAUTH.py does not properly implement the Authentication Script interface.

168 views
Skip to first unread message

Александр Богомолов

unread,
Jun 16, 2021, 5:04:44 AM6/16/21
to ZAP Jenkins Plugin
Hi, Sorry for my awful english. Need help.
I use this bash scrip to run ZAP Dokerized:

#!/bin/bash

docker run --rm -v $(pwd)/rep/:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py \
    -t https://my-site/ -n $(pwd)/rep/prm.context -z \
    "-config script.scripts.name="PRMAUTH.py" \
-config script.scripts.engine="jython" \
-config script.scripts.type=proxy \
-config script.scripts.enabled=true \
-config script.scripts.file="/zap/wrk/PRMAUTH.py"" \
-U admin -j -r Report--$(date +%Y-%m-%d:%k:%M:%S).html
In log I have next strange recorrds:
2021-06-16 08:38:42,632 Failed to load context file /zap/wrk/prm.context : internal_error

But then, ZAP do This

7923 [ZAP-ProxyThread-4] INFO  org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script:PRMAUTH.py

And throw an error:

7924 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to load Script Based Authentication method. The script PRMAUTH.py does not properly implement the Authentication Script interface.

7987 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.extension.api.ContextAPI - null

java.lang.NullPointerException: null

at org.zaproxy.zap.utils.EncodingUtils.mapToString(EncodingUtils.java:31) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.persistMethodToSession(ScriptBasedAuthenticationMethodType.java:757) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.persistContextData(ExtensionAuthentication.java:407) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Model.saveContext(Model.java:547) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Session.saveContext(Session.java:1306) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Session.importContext(Session.java:1605) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.api.ContextAPI.handleApiAction(ContextAPI.java:279) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-D-2021-06-07.jar:D-2021-06-07]

at java.lang.Thread.run(Thread.java:829) [?:?]


What I doing wrong? 

I did not upload context and script into docker container? Or I did an a mistake into script?

SCRIPT:

import base64, urllib, json
import java.lang.String, jarray
import org.parosproxy.paros.network.HttpRequestHeader as HttpRequestHeader
import org.parosproxy.paros.network.HttpHeader as HttpHeader
import org.zaproxy.zap.extension.script.ScriptVars as GlobalVariables
from org.apache.commons.httpclient import URI
from urllib import quote

def authenticate(helper, paramsValues, credentials):

    extraPostData = paramsValues["Extra_POST_data"];
    requestUri = URI(paramsValues["Auth_URL"] + extraPostData, False);
    requestMethod = HttpRequestHeader.POST;
    
    msg = helper.prepareMessage();
    requestHeader = msg.getRequestHeader()
    requestHeader.setURI(requestUri)
    requestHeader.setMethod(requestMethod)
    requestHeader.setHeader("Content-Type", "application/json")
    helper.sendAndReceive(msg)

    token = return_token(msg);
    
    GlobalVariables.setGlobalVar("Auth_token", token);
    return msg;

def getRequiredParamsNames():
    return jarray.array(["Auth_URL"], java.lang.String);

def getOptionalParamsNames():
    return jarray.array(["Extra_POST_data"], java.lang.String);

def getCredentialsParamsNames():
    return jarray.array(["Username", "Password"], java.lang.String);

def return_token(msg):
    token_array = json.loads(msg.getResponseBody().toString())
    token = token_array["accessToken"]
    return token

And HTTPSender script:

import org.zaproxy.zap.extension.script.ScriptVars as GlobalVariables

def sendingRequest(msg, initiator, helper):
    
    if GlobalVariables.getGlobalVar("Auth_token") is None:
        print "Do nothing token not set";
        return
    else:
         token = GlobalVariables.getGlobalVar("Auth_token");
         msg.getRequestHeader().setHeader("Authorization", token); 
         print('Adding token to request url=' + msg.getRequestHeader().getURI().toString());
         print("Authorization: " +token);
         return

def responseReceived(msg, initiator, helper):
    return

In ZAP UI it looks like OK, but if I press Stop, while Spider working, I get 

The provided Authentication script (PRMAUTH) does not implement the required interface. Please take a look at the provided templates for examples.

What wrong? :'((

lokesh....@gmail.com

unread,
Jun 16, 2021, 5:12:51 AM6/16/21
to ZAP Jenkins Plugin
Script based auth sucks. if you are using Oauth or third party identity provider such as Amazon Cognito. the scripting engine needs to be u[dated to use python 3 

Александр Богомолов

unread,
Jun 16, 2021, 8:30:51 AM6/16/21
to ZAP Jenkins Plugin
Mmmm... Can you explain, what do you mean? In my case it works when i using UI. With default settings and "python : jython" script engine. Yes, it may not be convenient, but it works. 
I have to make my own docker container with python 3 on board?

среда, 16 июня 2021 г. в 12:12:51 UTC+3, lokesh....@gmail.com:

psi...@gmail.com

unread,
Jun 16, 2021, 8:40:33 AM6/16/21
to ZAP Jenkins Plugin

docker run --rm -v $(pwd)/rep/:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py \
    -t https://my-site/ -n $(pwd)/rep/prm.context -z \

^ This is likely to be wrong - the baseline runs in docker so your $(pwd) will not be valid, you should be using the 'local' path is /zap/wrk/rep/prm.context
 
    "-config script.scripts.name="PRMAUTH.py" \
-config script.scripts.engine="jython" \
-config script.scripts.type=proxy \
-config script.scripts.enabled=true \
-config script.scripts.file="/zap/wrk/PRMAUTH.py"" \

^ This one looks better :)

Александр Богомолов

unread,
Jun 16, 2021, 9:35:09 AM6/16/21
to ZAP Jenkins Plugin
Oook. 

#!/bin/bash

docker run --rm -v $(pwd)/rep/:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py \
    -t https://my-site/ -n /zap/wrk/prm.context -z \
    "-config script.scripts.name="PRMAUTH.py" \
-config script.scripts.engine="jython" \
-config script.scripts.type=proxy \
-config script.scripts.enabled=true \
-config script.scripts.file="/zap/wrk/PRMAUTH.py"" \
-U admin -j -r Report--$(date +%Y-%m-%d:%k:%M:%S).html

<...>

2021-06-16 13:22:34,335 Failed to load context file /zap/wrk/prm.context : internal_error

<...>

7926 [ZAP-ProxyThread-4] INFO  org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script:PRMAUTH.py

7927 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to load Script Based Authentication method. The script PRMAUTH.py does not properly implement the Authentication Script interface.

8001 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.extension.api.ContextAPI - null

java.lang.NullPointerException: null

at org.zaproxy.zap.utils.EncodingUtils.mapToString(EncodingUtils.java:31) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.persistMethodToSession(ScriptBasedAuthenticationMethodType.java:757) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.persistContextData(ExtensionAuthentication.java:407) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Model.saveContext(Model.java:547) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Session.saveContext(Session.java:1306) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.model.Session.importContext(Session.java:1605) ~[zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.api.ContextAPI.handleApiAction(ContextAPI.java:279) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-D-2021-06-07.jar:D-2021-06-07]

at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-D-2021-06-07.jar:D-2021-06-07]

at java.lang.Thread.run(Thread.java:829) [?:?]


I need to copy files into docker manually like a "docker cp foo.txt mycontainer:/foo.txt" before "docker run lalala" or it must find files in to mounted directory  "-v $(pwd)/rep/:/zap/wrk/:rw "?=) Why it throw "Unable to load Script Based Authentication method. The script PRMAUTH.py does not properly implement the Authentication Script interface."?=) 

I have read all available documentation and all related threads here at least twice, and I'm still missing something=) It is last step for succes, happynes and running minimal useful DevSecOps framework=) Please, help to understand, how it works=)




среда, 16 июня 2021 г. в 15:40:33 UTC+3, psi...@gmail.com:

thc...@gmail.com

unread,
Jun 16, 2021, 10:27:46 AM6/16/21
to zaproxy...@googlegroups.com
Try installing the Python Scripting add-on, e.g.:
-z "-addoninstall jython -config ...

Best regards.

Александр Богомолов

unread,
Jun 16, 2021, 10:59:34 AM6/16/21
to ZAP Jenkins Plugin
Dear thc202, You are breathtaking! Its alive! Thank you!



среда, 16 июня 2021 г. в 17:27:46 UTC+3, thc202:

thc...@gmail.com

unread,
Jun 16, 2021, 11:38:21 AM6/16/21
to zaproxy...@googlegroups.com
Great, thanks for letting us know.

Best regards.

On 16/06/2021 15:59, Александр Богомолов wrote:
> Dear *thc202, *You are breathtaking! Its alive! Thank you!
Reply all
Reply to author
Forward
0 new messages