Adding Python Login Script in ZAP
920 views
Skip to first unread message
Hack With Me
May 28, 2018, 12:02:29 AM5/28/18
to OWASP ZAP Scripts
Hi,
I am trying to automate the scanning of a complex enterprise application. I tried Zest Scripting for authentication but there seems to be some issues in handling the cookies properly. I have written a python script that login to the application and prints out session cookies. But when I am trying to add the script in ZAP and loading it from Session Properties. It seems to have an exception (NoSuchMethodException: getRequiredParamsNames) . I have also added the Python Add-on. Any help please on how to run custom python scripts for authentication in ZAP
kingthorin+owaspzap
May 28, 2018, 4:37:49 AM5/28/18
to OWASP ZAP Scripts
Does your script have a getRequiredParamsNames method?
Community auth scripts are here: https://github.com/zaproxy/community-scripts/tree/master/authentication
They're mostly JavaScript, but might help you along.
thc...@gmail.com
May 28, 2018, 5:00:23 AM5/28/18
to zaproxy...@googlegroups.com
Example (template) Jython scripts:
https://github.com/zaproxy/zap-extensions/tree/1c46bd3a939e47f88f289ceb324621c954fa91b0/src/org/zaproxy/zap/extension/jython/files/scripts/templates/authentication
they should be bundled with the add-on.
Best regards.
https://github.com/zaproxy/zap-extensions/tree/1c46bd3a939e47f88f289ceb324621c954fa91b0/src/org/zaproxy/zap/extension/jython/files/scripts/templates/authentication
they should be bundled with the add-on.
Best regards.
Hack With Me
May 28, 2018, 5:29:56 AM5/28/18
to OWASP ZAP Scripts
Thanks for the quick response. I think thins might help.
One more question, I want to use requests library to implement my authentication. How should I import the library in jython?
Thanks and Regards
thc...@gmail.com
May 28, 2018, 5:40:07 AM5/28/18
to zaproxy...@googlegroups.com
You can import it as usual (note that you might need to add it to the
modules path, in Options > Jython).
I'd suggest using ZAP classes to send the HTTP requests, otherwise you
have to extract the HTTP session and set it back to the user.
Best regards.
modules path, in Options > Jython).
I'd suggest using ZAP classes to send the HTTP requests, otherwise you
have to extract the HTTP session and set it back to the user.
Best regards.
Hack With Me
May 28, 2018, 6:05:54 AM5/28/18
to OWASP ZAP Scripts
I am having a bit of issues in using ZAP classes to send HTTP requests. Here is my python code that fetches the final session cookies:
import requests
session = requests.Session()
session.get('https://example.com/home', verify=False, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0'})
session.post('https://example.com/login', verify=False, json={"username":"admin","password":"password@123"}, headers={'IDS-CSRF-TOKEN':session.cookies['IDS-CSRF-TOKEN'],'X-Requested-With':'XMLHttpRequest', 'namespace':'','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0'})
session.get('https://example.com/ma/home', verify=False, headers={'Referer':'https://example.com/home','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0'})
print "USER SESSION IS " + str(session.cookies['USER_SESSION'])
print "XSRF TOKEN IS " + str(session.cookies['XSRF_TOKEN'])+ "\n\n\n\n"
Can you please help in how should I do this using ZAP classes
Reply all
Reply to author
Forward
0 new messages