ZAP Authentication via Docker

131 views
Skip to first unread message

Ayushree Ayushree

unread,
Jun 13, 2022, 11:26:56 AMJun 13
to OWASP ZAP User Group
Hi,
I want to run an authenticated scan on the specified  target using owasp/zap2docker-stable docker image but when I run the following command I get the error  Failed to load context file /zap/wrk/Context_1.context : does_not_exist:

docker run -t -p 8090:8090 -v "$(pwd):/zap/wrk/" owasp/zap2docker-stable zap-full-scan.py -t "https://login.app.holvi.com" -g gen.conf -n Context_1.context

Can you please instruct me on how to resolve this issue?


kingthorin+owaspzap

unread,
Jun 13, 2022, 1:00:32 PMJun 13
to OWASP ZAP User Group
Well it looks like there are two issues there.

1) Is Context_1.context in $(pwd) ?
2) When you provide the -n it likely needs to full path /zap/wrk/Context1.context

Ayushree Ayushree

unread,
Jun 20, 2022, 8:37:43 AMJun 20
to OWASP ZAP User Group
Hi,
I tried keeping Context_1.context in the owasp/zap2docker-stable docker image but whenever I create the directory /zap/wrk/ it wipes off after getting out of the image bash shell.
I have the ZAP Docker images, and the command used to login inside the bash is 'docker run -it 0cc5f9c64557 bash'. Every time I log in to bash the docker image number/ID changes, for ex. zap@40c4a3ec4eec, zap@2061d4f48e33 etc belongs to 0cc5f9c64557 image.

REPOSITORY                      TAG       IMAGE ID       CREATED        SIZE

owasp/zap2docker-weekly         latest    d72e4d51e5e7   5 days ago     2.02GB

owasp/zap2docker-stable         latest    0cc5f9c64557   13 days ago    1.98GB

kingthorin+owaspzap

unread,
Jun 20, 2022, 10:58:28 AMJun 20
to OWASP ZAP User Group
pwd == present working directory. Which is mapped to /zap/wrk/ inside the container. So if Context_1.context isn't in the directory from which you're running the docker command it isn't going to be found inside the container.

Ayushree Ayushree

unread,
Jun 21, 2022, 9:51:57 AMJun 21
to OWASP ZAP User Group
Hi,
I tried running the docker command by providing pwd as suggested in the trailing email but unfortunately, it didn't work. Therefore, I tried using zap-cli to do the authentication scan where I got stuck with the following error found in the zap logs. Can you please provide some suggestion to how to deal with this error.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[Thread-489] FATAL ENGINE - /home/ec2-user/.ZAP/session/untitled1.data getFromFile failed 672584

org.hsqldb.HsqlException: IO error: RowInputBinary

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Simon Bennetts

unread,
Jun 22, 2022, 4:18:33 AMJun 22
to OWASP ZAP User Group
I dont think I've ever seen that error message before :O
Its not one of ours.
Could you have run out of space in your docker container?

Cheers,

Simon

Ayushree Ayushree

unread,
Jun 30, 2022, 10:21:52 AMJun 30
to zaprox...@googlegroups.com
Hi,
As per the suggestion, I followed the given procedure for the authentication scan but still getting the error, can anyone advise what am I doing wrong?
  • I created the context (Context_1.context) and put it in the directory /home/kali
image.png
  • Pull the docker image owasp/zap2docker-stable and setup the container of this image by using the following command: 
          docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080
  • Opened a new session where the container is up and running:
image.png
  • Created /zap/wrk directory in the container and copied the context file in it
image.png
  • Ran the command for authentication scan but still got the following error:

docker run -v $(pwd):/zap/wrk/:rw -t  owasp/zap2docker-stable zap-baseline.py -I -j -t https://login.app.holvi.com --hook=/zap/auth_hook.py -n /zap/wrk/Context_1.context


image.png

The context file looks like this:

<configuration>

    <context>

        <name>Context_1</name>

        <desc/>

        <inscope>true</inscope>

#<incregexes>https://holvi.com/api/auth-proxy/login/usernamepassword/.*</incregexes>

<incregexes>https://login.app.holvi.com/</incregexes>

<tech>

            <include>Db</include>

            <include>Db.CouchDB</include>

            <include>Db.Firebird</include>

            <include>Db.HypersonicSQL</include>

            <include>Db.IBM DB2</include>

            <include>Db.Microsoft Access</include>

            <include>Db.Microsoft SQL Server</include>

            <include>Db.MongoDB</include>

            <include>Db.MySQL</include>

            <include>Db.Oracle</include>

            <include>Db.PostgreSQL</include>

            <include>Db.SAP MaxDB</include>

            <include>Db.SQLite</include>

            <include>Db.Sybase</include>

            <include>Language</include>

            <include>Language.ASP</include>

            <include>Language.C</include>

            <include>Language.JSP/Servlet</include>

            <include>Language.Java</include>

            <include>Language.Java.Spring</include>

            <include>Language.JavaScript</include>

            <include>Language.PHP</include>

            <include>Language.Python</include>

            <include>Language.Ruby</include>

            <include>Language.XML</include>

            <include>OS</include>

            <include>OS.Linux</include>

            <include>OS.MacOS</include>

            <include>OS.Windows</include>

            <include>SCM</include>

            <include>SCM.Git</include>

            <include>SCM.SVN</include>

            <include>WS</include>

            <include>WS.Apache</include>

            <include>WS.IIS</include>

            <include>WS.Tomcat</include>

        </tech>

        <urlparser>

            <class>org.zaproxy.zap.model.StandardParameterParser</class>

            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

        </urlparser>

        <postparser>

            <class>org.zaproxy.zap.model.StandardParameterParser</class>

            <config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>

        </postparser>

        <authentication>

            <type>5</type>

            <strategy>EACH_RESP</strategy>

            <pollurl/>

            <polldata/>

            <pollheaders/>

            <pollfreq>60</pollfreq>

            <pollunits>REQUESTS</pollunits>

            <loggedin>\Qid_token\E</loggedin>

            <form>

                <loginurl>https://holvi.com/api/auth-proxy/login/usernamepassword/</loginurl>

                <loginbody>{"client_id":"yIO3banxfsiuQSMrVg7x2LoKAqYKazRV","fingerprint":"a40e2d5ceaf216f9b58853fadb768446","fingerprint_components":"{\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\",\"language\":\"en-GB\",\"colorDepth\":24,\"deviceMemory\":8,\"pixelRatio\":1,\"hardwareConcurrency\":8,\"screenResolution\":\"1920;1080\",\"availableScreenResolution\":\"1920;1055\",\"timezoneOffset\":-180,\"timezone\":\"Europe/Helsinki\",\"sessionStorage\":1,\"localStorage\":1,\"indexedDb\":1,\"openDatabase\":1,\"cpuClass\":\"unknown\",\"platform\":\"MacIntel\",\"doNotTrack\":\"unknown\",\"plugins\":[\"PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Chrome PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Chromium PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf,text/pdf~pdf\",\"WebKit built-in PDF::Portable Document Format::application/pdf~pdf,text/pdf~pdf\"],\"webglVendorAndRenderer\":\"Google Inc. (Intel Inc.)~ANGLE (Intel Inc., Intel(R) Iris(TM) Plus Graphics 655, OpenGL 4.1)\",\"touchSupport\":\"0;false;false\",\"fonts\":\"Andale Mono;Arial;Arial Black;Arial Hebrew;Arial Narrow;Arial Rounded MT Bold;Arial Unicode MS;Comic Sans MS;Courier;Courier New;Geneva;Georgia;Helvetica;Helvetica Neue;Impact;LUCIDA GRANDE;Microsoft Sans Serif;Monaco;Palatino;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;Wingdings;Wingdings 2;Wingdings 3\",\"fontsFlash\":\"swf object not loaded\",\"audio\":\"124.04347657808103\",\"enumerateDevices\":\"id=;gid=3007fd31cff100a1d168ffd653caa925ea22600897ae852c2fa354da553637f3;audioinput;;id=;gid=a6d9bd323e3f57a4c5196c1bebae0671b520cf8dc9d20be0a91efb549db66c07;videoinput;;id=;gid=3007fd31cff100a1d168ffd653caa925ea22600897ae852c2fa354da553637f3;audiooutput;\"}","connection":"Username-Password-Authentication","email":"{%username%}","password":"{%password%}","grant_type":"password"}</loginbody>

                <loginpageurl>https://login.app.holvi.com</loginpageurl>

            </form>

        </authentication>

        <users>

            <user>395;true;YXl1;5;YXl1c2hyZWVAaG9sdmkuY29t~SG9sdmkhIV8yMDIy~</user>

        </users>

        <forceduser>395</forceduser>

        <session>

            <type>0</type>

        </session>

        <authorization>

            <type>0</type>

            <basic>

                <header/>

                <body/>

                <logic>AND</logic>

                <code>-1</code>

            </basic>

        </authorization>

    </context>

</configuration>


--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4c340135-1420-4d73-94f5-373773299f26n%40googlegroups.com.

Simon Bennetts

unread,
Jun 30, 2022, 10:25:00 AMJun 30
to OWASP ZAP User Group

Ayushree Ayushree

unread,
Jun 30, 2022, 10:42:48 AMJun 30
to zaprox...@googlegroups.com
Hi Simon, 
Thanks for your quick response. This is the error that I see in log file:

2022-06-30 14:36:21,095 [main ] INFO  DaemonBootstrap - OWASP ZAP 2.11.1 started 30/06/2022, 14:36:21 with home /home/zap/.ZAP/
2022-06-30 14:36:21,124 [main ] INFO  AbstractParam - Setting config database.recoverylog = false was null
2022-06-30 14:36:21,125 [main ] INFO  AbstractParam - Setting config api.disablekey = true was null
2022-06-30 14:36:21,125 [main ] INFO  AbstractParam - Setting config api.addrs.addr.name = .* was null
2022-06-30 14:36:21,125 [main ] INFO  AbstractParam - Setting config api.addrs.addr.regex = true was null
2022-06-30 14:36:21,125 [main ] INFO  AbstractParam - Setting config spider.maxDuration = 1 was null

2022-06-30 14:37:35,293 [ZAP-ProxyThread-8] WARN  API - Bad request to API endpoint [/JSON/spider/action/scan/] from [127.0.0.1]:
org.zaproxy.zap.extension.api.ApiException: url_not_in_context

        at org.zaproxy.zap.extension.spider.SpiderAPI.scanURL(SpiderAPI.java:496) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(SpiderAPI.java:244) ~[zap-2.11.1.jar:2.11.1]
        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
        at java.lang.Thread.run(Thread.java:829) [?:?]

Simon Bennetts

unread,
Jun 30, 2022, 10:48:35 AMJun 30
to OWASP ZAP User Group
The URL you specify when starting the active scan must be in the context you have specified.
If its not then you will get this error :)
Solution - expand your context definition to include the URL you want to active scan.

Cheers,

Simon

Ayushree Ayushree

unread,
Jul 5, 2022, 11:12:26 AMJul 5
to zaprox...@googlegroups.com
Hi Simon,

I ran an active scan against the context in ZAP-GUI.

Authentication runs successfully at the start but the active scan becomes crazily slow and raises Forbidden (403) status.

Afterward, when I then try to log in manually from the web application I’m unable to authenticate, “Unable to authenticate. Please try again”.

Is this behavior normal during authentication scan??

Regards

Ayushree


On Tue, Jul 5, 2022 at 6:10 PM Ayushree Ayushree <ayus...@holvi.com> wrote:
Hi Simon,

I ran an active scan against the context in ZAP-GUI.

Authentication runs successfully at the start but the active scan becomes crazily slow and raises Forbidden (403) status.

Afterward, when I then try to log in manually from the web application I’m unable to authenticate, “Unable to authenticate. Please try again”.

Is this behavior normal during authentication scan??

Regards

Ayushree


kingthorin+owaspzap

unread,
Jul 5, 2022, 6:57:56 PMJul 5
to OWASP ZAP User Group
Did the account get locked out?
Did the scan hit password change functionality (you should have excluded)?

Ayushree Ayushree

unread,
Jul 6, 2022, 3:06:33 AMJul 6
to zaprox...@googlegroups.com
Hi,
Yes, the account did get locked out.
No, it didn't hit the password change functionality.
After getting locked out I can log in after 15-20 minutes though. Is it due to exceeding authentication requests while doing the scan?

kingthorin+owaspzap

unread,
Jul 6, 2022, 6:26:12 AMJul 6
to OWASP ZAP User Group
You tell us, we have no knowledge of the target :)
Reply all
Reply to author
Forward
0 new messages