ZEST Script not working while Login

[gowtha...@gmail.com]

Hi,

I have problem running ZEST Script to scan a application (SSO-based). I have been unable to use ZAP's functionality to write such a custom script and have opted to use Zest.

I have ended up with is a custom Script-based Authentication login. This works when run alone, fetch tokens from response and able to login as the user mentioned.

However while loading the script for spidering / active scan it did not work. As a result unable to perform authenticated scan.

Steps executed:

1. Created ZEST script and loaded under authentication script.

2. No errors in script console when trying to replay the script.

3. Choose target -> Default Context -> under authentication -> load the zest script (success) -> define login/logout regex.

4. Choose spider / active scan -> couldn't find any errors , but scan doesn't crawl internal pages.

So, how can i know whether the script is running before scan , unable to find any output in console. Is there anything i am missing out ??

Any pointers would be really helpful.

References used :

https://groups.google.com/forum/#!msg/zaproxy-users/3c_NeCQz1dQ/Z2bIcV2zAQAJ

https://groups.google.com/forum/#!searchin/zaproxy-users/script$20not$20working|sort:date/zaproxy-users/whjTCLm_id4/Wa3P2v77AQAJ

-Gowtham

[gowtha...@gmail.com]

Any updates please

[thc...@gmail.com]

Hi.

It should be logged something like:
INFO org.zaproxy.zap.users.User - Authenticating user: MyUser

also, in the Output tab it should show if the authentication was
successful or not.

Better enable the Forced User mode and access the pages that require
authentication to verify that it's working properly. Might be an
indicator that's not including all pages.


Best regards.

[gowtha...@gmail.com]

Hi,

I was successfully able to configure the same with Jenkins-ZAP plugin. But the problem is , when the script is running is GUI it works well and follows redirects but with jenkins plugin the script is not running in the intended way.

Console Output:

--------------------------------------------------------------------------------------------------------------------------------

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

8407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
8407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: *****@gmail.com
8420 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: ******@gmail.com
Response: https://site.com//api/v1/user passed = true code=403

Response: https://site.com//api/login passed = true code=200

Response: https://site.com/oauth/authorize?client_id=2880afb7-d84b-4381-9cc7-2272f495158b&logout_uri=https%253A%252F%252Ftest1.market.com%252Ffreshid%252Flogout&redirect_uri=https%253A%252F%252test1.market.com%252Fid%252Fauthorize_callback&su=true&response_type=code passed = true code=302

Response: https://site.com/oauth/https%253A%252F%252Ftest1.market.com%252Ffreshid%252Fauthorize_callback?code=8sQcob passed = true code=404

Response: https://test1.market.com/ passed = false code=302

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

In ZAP UI:

Thanks

[gowtha...@gmail.com]

Any updates please ??

[gowtha...@gmail.com]

@thc202 , can you help.. 

[thc...@gmail.com]

Was the script that you tested with GUI and the one being used in
Jenkins the same?

It seems that the problem is in:

Response:
https://site.com/oauth/https%253A%252F%252Ftest1.market.com%252Ffreshid%252Fauthorize_callback?code=8sQcob
passed = true code=404

the redirect URL is not being correctly composed and leads to a 404.
Could you check that the Location response header is correct? Is the
script extracting it or are you letting Zest follow the redirections?

Best regards.

>>> <https://lh3.googleusercontent.com/-DDBq2baeAvM/WvFKLVRdyeI/AAAAAAAAATA/0QUVQaJ_RXguzK_buo25-Zb2YhpF2QahACLcBGAs/s1600/Script%2Bin%2BUI.jpg>

[gowtha...@gmail.com]

Hi thc202,

Thank You very much for your reply. I was able to try and get results but having few issues.

Response to your question:

It seems that the problem is in: 
Response: 
https://site.com/oauth/https%253A%252F%252Ftest1.market.com%252Ffreshid%252Fauthorize_callback?code=8sQcob 
passed = true code=404 

Yes , for this step i have tried to follow redirects by checking the "follow redirects" option in GUI and saved the script. Run the same script with Jenkins i get the "code=400"  and "passed=true" and my final requests also gets passed. But not sure why am i getting the 400 error code but in GUI its 200 OK !!

My question is:

Can i use follow redirects option enabled using the GUI or do i need to manually specify the redirect URL to be fetched from response and the make a new request ?? Which will be the appropriate method. Also the script responses are different from GUI and jenkins plugin and having difficulties to understand.

Waiting for your help. Thanks again.