Problem with running Zest loin script
426 views
Skip to first unread message
Michal Kraus
Jan 12, 2018, 7:09:30 AM1/12/18
to OWASP ZAP User Group
Hello,
after updating to ZAP 2.7.0 my authentication script that was working correctly on ZAP 2.6.0 stopped running. Can someone tell me what has changed in version 2.7.0?
Below you can see screen shots from both versions, one running correctly and one failing.
thc...@gmail.com
Jan 12, 2018, 8:33:45 AM1/12/18
to zaprox...@googlegroups.com
Hi.
Which version of Zest add-on were you using with ZAP 2.6.0?
Is the authentication failing because of the cookies? (I guess the last
redirection is back to login page?)
Best regards.
> <https://lh3.googleusercontent.com/-T7Q7eZgcw_s/WlilOqnGl9I/AAAAAAAADjw/SbEL7uDr6ykF77z052YA_wqMC54v9SQZQCLcBGAs/s1600/zap_2.6.0.png>
> <https://lh3.googleusercontent.com/-iUPe_MIkjTI/WlilT7cKcNI/AAAAAAAADj0/gALY-DcD6oIeqK0A2vWl2sBvYKyGpbinQCLcBGAs/s1600/zap_2.7.0.png>
>
Which version of Zest add-on were you using with ZAP 2.6.0?
Is the authentication failing because of the cookies? (I guess the last
redirection is back to login page?)
Best regards.
> <https://lh3.googleusercontent.com/-iUPe_MIkjTI/WlilT7cKcNI/AAAAAAAADj0/gALY-DcD6oIeqK0A2vWl2sBvYKyGpbinQCLcBGAs/s1600/zap_2.7.0.png>
>
Michal Kraus
Jan 12, 2018, 9:17:30 AM1/12/18
to OWASP ZAP User Group
Hi,
for ZAP 2.6.0 i was using Zest in version 25.
I was also suspecting that it might fail because of missing cookie (when login is failed redirection is done to login page), but I can figure out why it was working fine with version 2.6.0 and not working with 2.7.0
thc...@gmail.com
Jan 12, 2018, 9:42:13 AM1/12/18
to zaprox...@googlegroups.com
OK, could you try 2.7.0 with Zest v25 to see if works? (Just to discard
any changes in Zest add-on.)
There were some cookie related changes in 2.7.0 that might be causing
this (unexpectedly).
Best regards.
any changes in Zest add-on.)
There were some cookie related changes in 2.7.0 that might be causing
this (unexpectedly).
Best regards.
Michal Kraus
Jan 15, 2018, 4:19:53 AM1/15/18
to OWASP ZAP User Group
Unfortunately ZAP 2.7.0 is installed with Zest 26 and after installing it, I can't install v25
thc...@gmail.com
Jan 15, 2018, 4:45:02 AM1/15/18
to zaprox...@googlegroups.com
Right, you need to remove the old version first (either through the
Manage Add-ons dialogue [1] or "manually" by (re)moving the add-on file
from the installation "plugin" dir).
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons
Best regards.
Manage Add-ons dialogue [1] or "manually" by (re)moving the add-on file
from the installation "plugin" dir).
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons
Best regards.
Michal Kraus
Jan 15, 2018, 5:11:59 AM1/15/18
to OWASP ZAP User Group
Ok, I have checked ZAP 2.7.0 booth with Zest v25 and v24 and problem also occurs.
thc...@gmail.com
Jan 15, 2018, 6:12:02 AM1/15/18
to zaprox...@googlegroups.com
Thanks! So a change in ZAP (core) broke that. I guess the changes done for:
https://github.com/zaproxy/zaproxy/issues/4079
(That's one that touches the cookies.)
Would you be available to try a zap.jar with that reverted?
Best regards.
https://github.com/zaproxy/zaproxy/issues/4079
(That's one that touches the cookies.)
Would you be available to try a zap.jar with that reverted?
Best regards.
Michal Kraus
Jan 16, 2018, 2:26:10 AM1/16/18
to OWASP ZAP User Group
Yes, I can try a zap.jar with reverted change for this one.
thc...@gmail.com
Jan 16, 2018, 6:20:31 AM1/16/18
to zaprox...@googlegroups.com
Great, attached the zap.jar (zap-2.7.0.jar) into:
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest
It can be replaced with existing one, it's built after tag 2.7.0 but
without that change.
Best regards.
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest
It can be replaced with existing one, it's built after tag 2.7.0 but
without that change.
Best regards.
Michal Kraus
Jan 18, 2018, 9:41:21 AM1/18/18
to OWASP ZAP User Group
Sorry for not responding earlier.
Unfortunately I was not able to run this version of ZAP. When trying to run it in windows command-line i get:
thc...@gmail.com
Jan 18, 2018, 9:48:42 AM1/18/18
to zaprox...@googlegroups.com
No worries.
You need to copy the JAR into an existing ZAP (2.7.0) install dir (to
pick the libraries and other required files).
Best regards.
> <https://lh3.googleusercontent.com/-P78Tn7rOAFg/WmCxthgEdKI/AAAAAAAADkI/LdK8HyMBi2Q886Cw7nHZ8F_XrdL-xsttwCLcBGAs/s1600/ZAP_instal_problem.png>
>
You need to copy the JAR into an existing ZAP (2.7.0) install dir (to
pick the libraries and other required files).
Best regards.
>
Michal Kraus
Jan 18, 2018, 10:02:03 AM1/18/18
to OWASP ZAP User Group
Ok, now I was able to run this version and then run my authentication script with no errors.
thc...@gmail.com
Jan 18, 2018, 10:47:07 AM1/18/18
to zaprox...@googlegroups.com
Thanks! Let me know if the following zap.jar works fine too:
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-2
This zap.jar has same cookie behaviour as 2.7.0 but also forces the
cookies on the same Cookie header.
Best regards.
On 18/01/18 15:02, Michal Kraus wrote:
> Ok, now I was able to run this version and then run my authentication
> script with no errors.
> <https://lh3.googleusercontent.com/-BcA_BHdkcL0/WmC23fwknOI/AAAAAAAADkY/6XyWkQQ4YYcFMz_BPP0OwCIMSwOPTaJ4wCLcBGAs/s1600/2.png>
>
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-2
This zap.jar has same cookie behaviour as 2.7.0 but also forces the
cookies on the same Cookie header.
Best regards.
On 18/01/18 15:02, Michal Kraus wrote:
> Ok, now I was able to run this version and then run my authentication
> script with no errors.
>
Michal Kraus
Jan 19, 2018, 4:15:59 AM1/19/18
to OWASP ZAP User Group
Unfortunately this was has failed
thc...@gmail.com
Jan 19, 2018, 6:12:34 AM1/19/18
to zaprox...@googlegroups.com
OK, thanks for trying that!
Were the cookies sent in one Cookie header? If they were, do you know
if/why the target site rejected them?
If they were not sent, that's an issue with the latest changes, which is
now addressed:
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-3
Best regards.
Were the cookies sent in one Cookie header? If they were, do you know
if/why the target site rejected them?
If they were not sent, that's an issue with the latest changes, which is
now addressed:
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-3
Best regards.
4129...@qq.com
Feb 8, 2018, 8:45:09 PM2/8/18
to OWASP ZAP User Group
i use this jar,the multiple cookie problem is fixed.
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-3
But it affected my normal function even if I didn't use zest.
my test site has many cookie.
在 2018年1月19日星期五 UTC+8下午7:12:34,thc202写道:
https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-3
But it affected my normal function even if I didn't use zest.
my test site has many cookie.
在 2018年1月19日星期五 UTC+8下午7:12:34,thc202写道:
werkem...@gmail.com
Feb 20, 2018, 7:02:00 AM2/20/18
to OWASP ZAP User Group
I have a zest authentication script that does work in Zap 2.6.0 and not in Zap 2.7.0. I tried:
and in that version the authentication also works.
I also tried the weekly build, but there the authentication does not work.
When is the authentication fix in your version above going to be part of the zap releases?
Op vrijdag 19 januari 2018 12:12:34 UTC+1 schreef thc202:
Op vrijdag 19 januari 2018 12:12:34 UTC+1 schreef thc202:
kingthorin+owaspzap
Feb 20, 2018, 10:51:04 AM2/20/18
to OWASP ZAP User Group
Please stop posting the same thing in multiple places. This is currently the 3rd or 4th thread where you've brought up the same issue. Harping on people and polluting other people's threads does not encourage anyone to help you.
Reply all
Reply to author
Forward
0 new messages