ZAP proxy not recording authentication

[Taro Fukunaga]

I'm a first time ZAP user. I first started running pen tests using the Quick Start tab and found a bunch of vulnerabilities. However, my web app requires (basic) authentication, so after further investigation, decided that I should use the proxy server to record web traffic so I can get more results. However, the problem is that ZAP only records the first page of the webapp. It doesn't seem to capture anything like username and password, and anything else I clicked on after I successfully logged in.

I'm accessing the remote web app from a Linux client running Firefox.

Thanks for any help.

Taro

[Santosh]

You need to add auth details in Tools->Options->Authentication. Then ZAP will automatically do the authentication for all the scans.

Thanks,

Santosh

[Taro Fukunaga]

Hi Santosh,

I forgot to add that I do have host authentication defined in ZAP. Since the web app is using HTTPS I also set the port here.

As an experiment, I tried using bad username/password combos, but this didn't change the result. Therefore I think ZAP wasn't able to even try logging in.

Taro

[Simon Bennetts]

Hi Taro,

The Quick Start tab doesnt perform any authentication, so you are right to explore your app via the proxy.
I'm surprised that ZAP is not capturing anything after you log in - that implies theres something wrong with your setup, as ZAP is designed to work in this way.

Just to check, it sounds like you are doing the following:

1. Configuring your browser to proxy via ZAP
2. Accessing the login page via your browser
3. You then see the login page in ZAP
4. Logging in via your browser
5. You then _dont_ see the authenticated pages in ZAP

Is that right?

Is the last request you see in the History tab the login request?

Cheers,

Simon

[Taro Fukunaga]

On Thursday, August 1, 2013 1:13:11 AM UTC-7, Simon Bennetts wrote:

Hi Taro,

The Quick Start tab doesnt perform any authentication, so you are right to explore your app via the proxy.
I'm surprised that ZAP is not capturing anything after you log in - that implies theres something wrong with your setup, as ZAP is designed to work in this way.

Just to check, it sounds like you are doing the following:

1. Configuring your browser to proxy via ZAP
2. Accessing the login page via your browser
3. You then see the login page in ZAP
4. Logging in via your browser
5. You then _dont_ see the authenticated pages in ZAP

Is that right?

1-5 are correct.

 

Is the last request you see in the History tab the login request?

I just see the first GET request for the web app, nothing more. I configured ZAP to accept all certificates since I'm going through https. Once I'm authenticated, I try clicking around the UI of the webapp, but nothing gets recorded. If I go to another unrelated website, then I start seeing requests in ZAP. 

BTW my initial request is a 302, meaning http is redirected to https. If I use the https URL directory, then I don't see anything in ZAP, so I'm using http and letting the webapp redirect.

Taro

[Simon Bennetts]

But you can still use the web app?
ZAP will record everything that passes through it, including https traffic.
Have you configured your browser manually or are you using an add-on like Foxy Proxy?
Have you defined any contexts?

It sounds like https traffic is not being proxied through ZAP.
You can test this by closing ZAP down - if you can still navigate around https sites then you're not using ZAP for them.

Cheers,

Simon