Authentication script runs after 2 requests from Context
95 views
Skip to first unread message
Bharath
Aug 21, 2020, 5:35:14 AM8/21/20
to OWASP ZAP Scripts
Hi All,
I created Authentication script and Http sender script for a context which contains 6 request.
When I spider the context with user, Http sender is supposed to execute the Authentication script and use the token fetched using Authentication request for the requests in the context. But What's happening to me is
1. First, Http sender sets token for the first 2 requests in the context as null, sends the requests and execute the authentication script for fetching the token lets say token A
2. Then, Http sender sets the token A fetched from the above step, sends the request and execute the Auth script to fetch the token again. This time token B
3. Finally, Http sender sets the above fetched token B for the last 2 request from the context, sends the request and execute the Auth script
I need to reason for this behaviour. Please help me....
Thanks in Advance
Bharath
Aug 21, 2020, 5:57:48 AM8/21/20
to OWASP ZAP Scripts
In the above pic, while spidering first two requests didn't get the auth token so failed with 401, after that all the requests has 403 code that's expected but the first requests also expected to get the 403. As the Authentication script ran only after the first 2 request, I am getting 401 for them and 403 for the rest of them
Note: All the requests should get the 403 code as the request should throw forbidden for the token that I am using
zak...@yandex.ru
Aug 21, 2020, 8:14:02 AM8/21/20
to OWASP ZAP Scripts
Hi.
When you do scan "as user" ZAP trying to authenticate by your auth sctipt and handle session for scanning. If ZAP couldn't handle the session, it scan without added information about session.
How do you application check authentication of user? Session information into header, cookies ...? Is previous token dead if user authenticated again ?
In you case, you should use session script for handle of session and disable http sender script, or don't use "scan as user" option and write auth script as standalon script -> get and setup "auth token" as global variable => use it in http sender script.
пятница, 21 августа 2020 г. в 12:57:48 UTC+3, Bharath:
Bharath
Aug 21, 2020, 10:13:04 AM8/21/20
to OWASP ZAP Scripts
Hi zak,
Thanks for your suggestion. Can you explain in which order auth script and http sender script is being executed by ZAP?. In my situation, session is handled by the passed bearer token. If the token is present, request will be processed. For me what happens is Http sender send 2 request in context and Auth script is executed to get the token. Now Http sender again send next 2 requests with token fetched last time. After that 2 request is sent, again Auth script is executed
thc...@gmail.com
Aug 21, 2020, 10:44:09 AM8/21/20
to zaproxy...@googlegroups.com
Hi.
Starting from a clean state, first the Authentication script then the
HTTP Sender script, worth noting that the Authentication script will
trigger the HTTP Sender script when sending the authentication requests
(e.g. the HTTP Sender script should have a check of the initiator to not
process those requests).
If you are seeing the authentication script being triggered when it
shouldn't it means that the logged in/out indicators are not correct.
Best regards.
Starting from a clean state, first the Authentication script then the
HTTP Sender script, worth noting that the Authentication script will
trigger the HTTP Sender script when sending the authentication requests
(e.g. the HTTP Sender script should have a check of the initiator to not
process those requests).
If you are seeing the authentication script being triggered when it
shouldn't it means that the logged in/out indicators are not correct.
Best regards.
Bharath
Aug 21, 2020, 11:05:42 AM8/21/20
to OWASP ZAP Scripts
Hi,
So are you saying that Http sender will process the url from the context, if the response message is simialr to the regex in the Authentication panel for logged out indicator then the Authentication script will be triggered?
Thanks
thc...@gmail.com
Aug 21, 2020, 11:12:26 AM8/21/20
to zaproxy...@googlegroups.com
The HTTP Sender scripts are executed for all messages sent by ZAP (if
you want them to apply just to some URLs/context you'd have to add that
check).
The Authentication script (applies to all authentication methods) is
triggered when the response of a message does not match the logged
in/out indicators. More details in:
https://www.zaproxy.org/docs/desktop/start/features/authentication/
Best regards.
you want them to apply just to some URLs/context you'd have to add that
check).
The Authentication script (applies to all authentication methods) is
triggered when the response of a message does not match the logged
in/out indicators. More details in:
https://www.zaproxy.org/docs/desktop/start/features/authentication/
Best regards.
Bharath
Aug 21, 2020, 11:24:47 AM8/21/20
to OWASP ZAP Scripts
I specified the logged out indicator with correct regex by selecting the response message and adding it as logged out indicator. After that If I spider the context, the requests which had logged out message is not processed again after authentication
Bharath
Aug 21, 2020, 11:40:48 AM8/21/20
to OWASP ZAP Scripts
I want the ZAP to trigger the Auth script before processing any request from context. I mean before checking the response of the message, I want to trigger the Authentication . How can I do it?
thc...@gmail.com
Aug 21, 2020, 12:41:57 PM8/21/20
to zaproxy...@googlegroups.com
Initially (when there's no session) the authentication script will be
executed before any request is sent, so that should be already
happening. The logged in/out indicators are then checked to see if the
authentication was successful or when already using an existing session
that the session is still valid/authenticated.
I need to correct a statement in the previous message:
script. If that's a problem you can use a global variable to flag if the
authentication was already called or not.
Best regards.
executed before any request is sent, so that should be already
happening. The logged in/out indicators are then checked to see if the
authentication was successful or when already using an existing session
that the session is still valid/authenticated.
I need to correct a statement in the previous message:
> first the Authentication script then the HTTP Sender script
The HTTP Sender script is actually called before the Authentication
script. If that's a problem you can use a global variable to flag if the
authentication was already called or not.
Best regards.
Reply all
Reply to author
Forward
0 new messages