Zap Authentication through Zest Script
85 views
Skip to first unread message
Lax
Feb 1, 2024, 3:02:00 AMFeb 1
to ZAP Scripts
Hi,
I am trying to configure Zap to automatically authenticate to a website which initially redirects to a login page and in that page only the prompt for username is provided and then on clicking Continue, it redirects to a page with Password prompt, then on giving the correct password it uses FortressLogin to login to the application and redirects to the landing page.
It uses Cookie based session management and has JSESSION id which changes multiple times untill I login successfully.
Various other cookies are saved as well.
I am using a Zest script to record the authentication processes and the script runs fine on its own after removing all the unnecessary URLs.
Various other cookies are saved as well.
I am using a Zest script to record the authentication processes and the script runs fine on its own after removing all the unnecessary URLs.
There are multiple URLs under the Sites option and one of the URLs is the main website's URL . Under the main URL of the website I have the main FortressLogin POST request with the Email and Password parameters along with many other empty parameters
Next
- I created a Context to include all the URLs in the Sites section.
- Chose Script based authentication and loaded the recorder authentication script
- gave the main URL link as the login URL and gave the logged in and logged out indicators
- added a User under the User section by giving correct Username and Password
Next
- I created a Context to include all the URLs in the Sites section.
- Chose Script based authentication and loaded the recorder authentication script
- gave the main URL link as the login URL and gave the logged in and logged out indicators
- added a User under the User section by giving correct Username and Password
- chose Cookie based session management.
I enabled the forced user mode and tried to access the main website page but since there is no button on which to click and check if I will automatically get logged in , I tried to access the landing page and it failed as it redirected me to the Username prompt page.
I need help in understanding where I might be going wrong and what steps can i take to reach my goal.
I am very new to Zap and not used any such kind of tool before or written any scripts before and I am doing this for work so please give me some guidance.
I enabled the forced user mode and tried to access the main website page but since there is no button on which to click and check if I will automatically get logged in , I tried to access the landing page and it failed as it redirected me to the Username prompt page.
I need help in understanding where I might be going wrong and what steps can i take to reach my goal.
I am very new to Zap and not used any such kind of tool before or written any scripts before and I am doing this for work so please give me some guidance.
Thank You.
thc...@gmail.com
Feb 1, 2024, 3:32:14 AMFeb 1
to zaproxy...@googlegroups.com
Hi,
Did you already try
https://www.zaproxy.org/docs/authentication/auto-detection/ ?
Best regards.
On 01/02/2024 07:15, Lax wrote:
> Hi,
>
> I am trying to configure Zap to automatically authenticate to a website
> which initially redirects to a login page and in that page only the prompt
> for username is provided and then on clicking *Continue*, it redirects to a
> page with *Password* prompt, then on giving the correct password it uses
Did you already try
https://www.zaproxy.org/docs/authentication/auto-detection/ ?
Best regards.
On 01/02/2024 07:15, Lax wrote:
> Hi,
>
> I am trying to configure Zap to automatically authenticate to a website
> which initially redirects to a login page and in that page only the prompt
> page with *Password* prompt, then on giving the correct password it uses
> FortressLogin to login to the application and redirects to the landing
> page.
>
> It uses Cookie based session management and has JSESSION id which changes
> multiple times untill I login successfully.
>
> Various other cookies are saved as well.
>
> I am using a Zest script to record the authentication processes and the
> script runs fine on its own after removing all the unnecessary URLs.
>
> There are multiple URLs under the *Sites* option and one of the URLs is the
> page.
>
> It uses Cookie based session management and has JSESSION id which changes
> multiple times untill I login successfully.
>
> Various other cookies are saved as well.
>
> I am using a Zest script to record the authentication processes and the
> script runs fine on its own after removing all the unnecessary URLs.
>
Lax
Feb 3, 2024, 3:25:02 AMFeb 3
to ZAP Scripts
Hi, I based on your suggestion, I tried out auto detection using authentication tester and this is the diagnostics I got :
>>>>>
GET https://example0/
<<<
HTTP/1.1 302 Moved Temporarily
content-type: text/html; charset=iso-8859-1
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=CD2FF4283E6D9DABA803A4339441BA7F
>>>>>
GET https://example1/skinresource
<<<
HTTP/1.1 404 Not Found
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=CB22C439C31F3FF8E577637EE7133CAD
>>>>>
POST https://example1/
content-type: application/x-www-form-urlencoded
set-cookie: liveagent_oref="token4"
set-cookie: liveagent_ptid="token295"
set-cookie: liveagent_sid="token295"
set-cookie: liveagent_vc="token33"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=ISO-8859-1
cookie: JSESSIONID=6925D25F2886944E4C5213B8B5299CE4
>>>>>
POST https://example0/
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=0CF59169C3B376B56ADF0DC6144E9A57
cookie: _FBP=
cookie: _FBP=Fiberlink
cookie: _FBP=Fiberlink
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
GET https://example0/skinresource
set-cookie: JSESSIONID="token297"
set-cookie: _FBP="token5"
set-cookie: _FPLL="token13"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
GET https://example0/
<<<
HTTP/1.1 302 Moved Temporarily
content-type: text/html; charset=iso-8859-1
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=CD2FF4283E6D9DABA803A4339441BA7F
>>>>>
GET https://example1/skinresource
<<<
HTTP/1.1 404 Not Found
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=CB22C439C31F3FF8E577637EE7133CAD
>>>>>
POST https://example1/
content-type: application/x-www-form-urlencoded
set-cookie: liveagent_oref="token4"
set-cookie: liveagent_ptid="token295"
set-cookie: liveagent_sid="token295"
set-cookie: liveagent_vc="token33"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=ISO-8859-1
cookie: JSESSIONID=6925D25F2886944E4C5213B8B5299CE4
>>>>>
POST https://example0/
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
cookie: JSESSIONID=0CF59169C3B376B56ADF0DC6144E9A57
cookie: _FBP=
cookie: _FBP=Fiberlink
cookie: _FBP=Fiberlink
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
POST https://example0/logCspViolation.htm
content-type: application/csp-report
<<<
HTTP/1.1 200 OK
content-type: text/html
>>>>>
GET https://example0/skinresource
set-cookie: JSESSIONID="token297"
set-cookie: _FBP="token5"
set-cookie: _FPLL="token13"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
After this I tried running a spider scan on the website, so the browser opens and it gets properly redirected to the Username webpage then it automatically detects and adds value to the username field and tries to redirect to the password page but then it suddenly shuts down the browser. I checked the History and it says "Method Not Allowed" 405 Status for the POST request to the password page, unable to understand the reason, I have included all the webpages in the Context.
Please let me know what I can do next or would you suggest some other authentication mechanism
Thank You
Thank You
Simon Bennetts
Feb 6, 2024, 6:15:57 AMFeb 6
to ZAP Scripts
Thats actually good news.
We have a PR which _may_ help https://github.com/zaproxy/zap-extensions/pull/5272 but you should still be able to find a work around.
You just need to find a suitable verification URL.
Cheers,
Simon
Simon Bennetts
Feb 6, 2024, 11:30:43 AMFeb 6
to ZAP Scripts
FYI that PR has now been merged and a new version of the authhelper released, so it would be worth trying the Authentication Tester again.
Cheers,
Simon
Lax
Feb 7, 2024, 4:01:49 AMFeb 7
to ZAP Scripts
Thank you Simon, I retried with the Authentication Tester but every time it tries to redirect to the password page, the browser window closes abruptly and the test fails.
I am also confused as to what my login URL is since I have a separate URL for entering the username and a separate URL for password and then after entering the password there is again a redirect which finally does a POST request with both username and password along with other fields.
POST Request:
I am also confused as to what my login URL is since I have a separate URL for entering the username and a separate URL for password and then after entering the password there is again a redirect which finally does a POST request with both username and password along with other fields.
POST Request:
EMail_Proxy=&EMail=hello&Password=a123&_s_name=&_l_name=&_l_type=&_ref_id=¶meterStoAppend=&plang=en&screenResolution=1536X816
so EMail and Password is what actually contains the username and password provided in the different pages.
So once this POST request is successful, I get redirected to home page.
so EMail and Password is what actually contains the username and password provided in the different pages.
So once this POST request is successful, I get redirected to home page.
Regards,
Lax
Simon Bennetts
Feb 8, 2024, 4:21:53 AMFeb 8
to ZAP Scripts
Hi Lax,
Run the Authentication Tester in demo mode (theres a checkbox for that).
That just adds a 2 second sleep inbetween each action it takes, which makes it easier to see whats going on.
The URL you need to supply is the first one - thats where the user starts after all.
Browser based auth will cope with the username and password on separate pages .. but its definitely possible that its not handling your case correctly.
So use demo mode and let us know how far it gets.
Cheers,
Simon
Lax
Feb 9, 2024, 1:44:18 AMFeb 9
to ZAP Scripts
Hi Simon, the above results are from running it in demo mode only...
I have a few concerns :
1) Noticed that my website takes a lot of time to redirect to the password page so could that possibly be one of the reasons for browser quitting before redirecting to password page?
I have a few concerns :
1) Noticed that my website takes a lot of time to redirect to the password page so could that possibly be one of the reasons for browser quitting before redirecting to password page?
If so is there any solution as I have already tried increasing the wait time as seen in the screenshot.
I also tried increasing the Connection time under Network Option, not sure if it makes a difference...
I also tried increasing the Connection time under Network Option, not sure if it makes a difference...
2) The authentication tester is giving me different results each time
I used to get the above before:
I keep getting this lately almost all the time. I don't understand the reason.
I used to get the above before:
I keep getting this lately almost all the time. I don't understand the reason.
Please let me know what else I can do. Thank You.
Regards,
Lax
Regards,
Lax
Simon Bennetts
Feb 12, 2024, 4:42:25 AMFeb 12
to ZAP Scripts
Hi Lax.
What do you actually see in the browser?
How long does your app typically take to redirect to the login page?
How long does the browser stay open?
It sounds like your app needs some attention ;)
Cheers,
Simon
Lax
Feb 13, 2024, 12:10:57 AMFeb 13
to ZAP Scripts
Hi Simon,
The browser is a blank white screen, I just see that there is website URLs changing at the bottom of the screen and on the browser tab.
It takes about 4-5 sec to load the username page and after successfully providing the username it takes about 38-40sec to redirect to password page and then to land on the home page and to completely load everything it takes another 40-50secs
The authentication tester browser stays totally from start to end for about 18secs
Would you suggest moving towards scripting (please suggest me a direction for moving towards scripting if scripting is the next thing to try, I am new to scripting and have watched many videos of yours for ZAP scripting but couldn't find the right ones for authentication) or is there anything more I should try before that?
The browser is a blank white screen, I just see that there is website URLs changing at the bottom of the screen and on the browser tab.
It takes about 4-5 sec to load the username page and after successfully providing the username it takes about 38-40sec to redirect to password page and then to land on the home page and to completely load everything it takes another 40-50secs
The browser during authentication test successfully loads the username page and adds the username and then tries to redirect to the password page but abruptly quits within the 6-7 secs
The authentication tester browser stays totally from start to end for about 18secs
Would you suggest moving towards scripting (please suggest me a direction for moving towards scripting if scripting is the next thing to try, I am new to scripting and have watched many videos of yours for ZAP scripting but couldn't find the right ones for authentication) or is there anything more I should try before that?
Thank You!
Regards,
Regards,
Lax
Reply all
Reply to author
Forward
0 new messages