How to add custom header when authenticated?
1,419 views
Skip to first unread message
codemonkey
Jan 22, 2016, 11:50:25 PM1/22/16
to OWASP ZAP User Group
Hi,
I'm new to ZAP and am trying to figure out how to configure authentication.The application I'm testing works as follows:
1. Upon successful authentication, a JSON object containing a 'sessionKey' token is returned.
2. Subsequent requests to the application must include a header named 'x-session-key' with the returned token for the value.
How can I set this up?
Note that I am already using an ECMAScript script for authentication. I modified the 'BodgeIt Store Authentication.js' script to handle the POST, and I know how to extract the returned sessionKey value from the response. I just need to know how to tell ZAP to add the custom header and value on subsequent requests.
Thanks!
Chris
I'm new to ZAP and am trying to figure out how to configure authentication.The application I'm testing works as follows:
1. Upon successful authentication, a JSON object containing a 'sessionKey' token is returned.
2. Subsequent requests to the application must include a header named 'x-session-key' with the returned token for the value.
How can I set this up?
Note that I am already using an ECMAScript script for authentication. I modified the 'BodgeIt Store Authentication.js' script to handle the POST, and I know how to extract the returned sessionKey value from the response. I just need to know how to tell ZAP to add the custom header and value on subsequent requests.
Thanks!
Chris
Message has been deleted
kingthorin+owaspzap
Jan 23, 2016, 5:59:44 AM1/23/16
to OWASP ZAP User Group
codemonkey
Jan 23, 2016, 11:38:47 AM1/23/16
to OWASP ZAP User Group
Perfect, that's just what I need!
One question - is there some way that the authentication script can store the session key so the proxy script can retrieve it later? Of course, I could use the filesystem for that, but is there a better way?
Thanks again, Chris
codemonkey
Jan 23, 2016, 1:04:02 PM1/23/16
to OWASP ZAP User Group
Oh, I think I just found the answer here - https://groups.google.com/forum/#!topic/zaproxy-scripts/vGYveIBQODw. Cool.
I feel like I've somehow missed a reference doc somewhere. Should I be reading the ZAP source code, or is this sort of thing published in another form somewhere?
kingthorin+owaspzap
Jan 23, 2016, 1:50:33 PM1/23/16
to OWASP ZAP User Group
Docs are something we always seem to need work on. Most of it is wiki'fied. You can always check:
https://github.com/zaproxy/zaproxy/wiki
https://github.com/zaproxy/zap-extensions/wiki
https://github.com/zaproxy/zap-core-help/wiki
https://github.com/zaproxy/zaproxy/wiki
https://github.com/zaproxy/zap-extensions/wiki
https://github.com/zaproxy/zap-core-help/wiki
We're also happy to accept contributions. Tutorials. Videos. Blogposts. You get the idea...
codemonkey
Jan 24, 2016, 12:46:50 AM1/24/16
to OWASP ZAP User Group
Hmm, seems my proxy script is only being called for requests being proxied through ZAP. That is, it's not being called when ZAP is spidering or active scanning.
Is that expected? Is there something else I need to do to get ZAP to handle this style of authentication *during* a scan?
------
I have another question, if you don't mind...I want to use the authentication script for various hosts and so I don't want to embed a specific hostname/ip in it. In the authenticate() function, how can I change the line below to reference the current target host rather than the hardcoded value (10.1.2.3)?
requestUri = new URI("http://10.1.2.3/myapp/login.jsp", false);
Chris
Is that expected? Is there something else I need to do to get ZAP to handle this style of authentication *during* a scan?
------
I have another question, if you don't mind...I want to use the authentication script for various hosts and so I don't want to embed a specific hostname/ip in it. In the authenticate() function, how can I change the line below to reference the current target host rather than the hardcoded value (10.1.2.3)?
requestUri = new URI("http://10.1.2.3/myapp/login.jsp", false);
Chris
kingthorin+owaspzap
Jan 24, 2016, 5:58:43 AM1/24/16
to OWASP ZAP User Group
You probably need to use an httpsender script if you want coverage of all traffic.
For your second question I'm not 100% sure. Likely doable but may require trial and error.
Simon Bennetts
Jan 25, 2016, 4:28:48 AM1/25/16
to OWASP ZAP User Group
We definitely need to improve our docs;)
However I'd recommend always looking in the ZAP User Guider first - this is included with ZAP and accessible from the menus, toolbar and F1 key.
Its also available online here: https://github.com/zaproxy/zap-core-help/wiki
The online version is generated from the same source files - we include the help with ZAP for users who cant access the internet (not at all uncommon for pentesters 'onsite') and the online version so we can link to it.
In this particular case the global variables are documented under the 'Scripts' addon: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts#global-variables
You can search the local help for any terms you need to look up, but you do need to guess the right terms;)
Cheers,
Simon
However I'd recommend always looking in the ZAP User Guider first - this is included with ZAP and accessible from the menus, toolbar and F1 key.
Its also available online here: https://github.com/zaproxy/zap-core-help/wiki
The online version is generated from the same source files - we include the help with ZAP for users who cant access the internet (not at all uncommon for pentesters 'onsite') and the online version so we can link to it.
In this particular case the global variables are documented under the 'Scripts' addon: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts#global-variables
You can search the local help for any terms you need to look up, but you do need to guess the right terms;)
Cheers,
Simon
codemonkey
Jan 25, 2016, 2:51:06 PM1/25/16
to OWASP ZAP User Group
Well, I'm happy to report I have a working solution now - thanks for holding my hand. :-)
The solution turns out to be really simple - see the attached files.
I did go way deep into the weeds trying to get there, however. To send my JSON data, I had to study the following files before discovering that all that I needed to do was set the Content-type header.
org/apache/commons/httpclient/HttpMethodBase.java
org/parosproxy/paros/network/HttpMessage.java
org/parosproxy/paros/network/HttpMethodHelper.java
org/parosproxy/paros/network/HttpRequestHeader.java
org/zaproxy/zap/network/HttpRequestBody.java
org/zaproxy/zap/network/ZapPostMethod.java
Chris
Reply all
Reply to author
Forward
0 new messages