API scan. Excluding a SOAP element from the scan.

[Harvey Korman]

Greetings!

I would like to instruct the scan to ignore the password field in the payload, to avoid the account lockout.

Tried to add a parameter (//wsse:Password/text()) to be excluded in the Input Vector tab of the Active Scan editor, didn't appear to work.

Lots of online info on the URL exclusion from the scope, but couldn't find the answer to my specific case.

Was wondering if it was possible at all.

Cheers!

[kingthorin+owaspzap]

Wouldn't password change be associated with a specific URL/endpoint or two? If the app randomly assumes a password param means password change there's different issues ;)

[Harvey Korman]

I am a bit confused.., what I am trying to achieve is have ZAP not 'fuzz' the password parameter during the scan's execution, just like in this sample below where the injection string '&zapxxe;' is used during my scan. A few such calls and the account gets locked out, invalidating the results of the scan from that point on.
I would like ZAP to fuzz all elements int he XML payload but skip this one.

Thank you for the quick response!

 <wsse:Username>USERNAME_DUMMY</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">&zapxxe;</wsse:Password>

[Harvey Korman]

And I should have been more specific

1. Task: To scan a web API of SOAP type using ZAP

2. The web API authenticates requests by looking for a set of credentials for the authorized accounts passed in the security header of the SOAP XML payload

3. The API will lock the account if 5 calls are submitted with incorrect password passed

4. The scan starts

5. At some point during the scan all calls starting to get blocked with the HTTP-403 response returned, Not Authorized

6. The reason: the account gets locked out due to the scan injecting payload in the password field. The web API does what it supposed to, i.e. locking the account after a few unsuccessful login attempts.

The problem: I want to avoid the account lockout by telling ZAP to ignore the password field in my XML SOAP request template.

Cheers!

[Simon Bennetts]

Ah, ok.

So you can go to the "Active Scan Input Vectors" Options screen and "Add..." a parameter to ignore:

• Name: wsse:Password
• Where: PostData
  
• URL: *
  

Let us know if that works for you've - we've tested it locally and it works for us :)

Cheers,

Simon

[Harvey Korman]

Thank you so much to the response!

Unfortunately, no dice. I have attached the screenshot that would illustrate it. 

The screenshot has the full request payload sent by ZAP, along with the Active Scan dialog box, where I had defined the parameter to be ignored prior to executing the scan.

To recap

I am trying to do a scan of a SOAP web service. The user authentication is done via the header of my XML request, that contains a username and password parameters. The service will lock the user account out that sends the XML POST request after a few wrong passwords are used.

My intention is to exclude the password parameter from the scan, i.e. have ZAP ignore that parameter altogether.

The steps

1. Navigate in the POST SOAP request listed in the Sites tree on the left in ZAP

2. Right click on the request and select Attack>Active Scan

3. In the loaded Active Scan dialog navigate to the Input Vectors tab

4. In the Input Vectors tab click on the Add button at the bottom in order to add a parameter to be ignored by the scanner

5. Define a new parameter for exclusion: URL: *; Where: PostData; Name: wsse:Password 

6. Press Start Scan button

7. Let the scan finish

8. Select Active Scan window to see the list of requests submitted by the scan

9. Go clicking on each request to observe the request's payload in the Request & Response pane above

EXPECTED RESULT: None of the requests has original password text altered.

ACTUAL RESULT: A few requests have the original password text replaced with the following injection string: &zapxxe;

The screenshot has all the details please.

Best regards!

[Simon Bennetts]

Sorry, we've double checked and the XxeScanRule rule is attacking the whole body, rather than the specific fields.

Right now the easiest option is to disable that scan rule :/

Cheers,

Simon

[Harvey Korman]

Thank you, Simon and the team!!