Active scan not following redirects?

[werkem...@gmail.com]

I noticed that during an active scan, redirects are not followed. Because if I resend the message manually, I can choose' redirect'  and I get a different response than during the active scan. During the active scan I get 302, while manually I get 'OK'.

How can I make sure that the active scan follows redirects?

[thc...@gmail.com]

Hi.

That depends on the active scanner, some follow redirects some don't
(based on its own scan logic). Is that causing false positives/negatives?

Best regards.

[werkem...@gmail.com]

I am not sure yet if it is causing false results. However, it causes pages not to load. So what I mean is, when I do the request manually with following redirects, I get the whole page back how it should be with status OK 200. With the active scan I get only a 302 and something like 'object moved to here'. I can imagine that this can cause false results as it does not see the entire page how it is in reality?

Op vrijdag 22 december 2017 11:16:32 UTC+1 schreef werkem...@gmail.com:

[Khoa Tran]

Hi,

I am facing this exact issue, that there are many redirect response with HTTP code 302. So I am afraid that ZAP can not test security of actual content page.

302

<html><body>You are being <a href="https://sample.com">redirected</a>.</body></html>

How did you work around on this in your case last time?

Thanks

Vào 17:44:04 UTC+7 Thứ Sáu, ngày 22 tháng 12 năm 2017, werkem...@gmail.com đã viết:

[benjam...@csra.com]

We are experiencing the same issue. I believe, there is probably a ZAP solution for the issue.

I have a basic authentication with session cookies. The GUI is employed and  setup the context as shown in this Zap tutorial https://www.youtube.com/watch?v=cR4gw-cPZOA. However, the response type is 302 and the page is not returned.

Please provide guidance.

[Div Cache]

Hi Team,

May I please seek your kind urgent help. When spidering Zap does not follow the redirect (303), even with authenticated scan it would not follow the redirect (303). However with the manual request editor it would follow thanks to the green loop arrow button. Is there any setting that I can apply to cause the Zap Spider to follow the redirect. The idea is to spider all the pages with authenticated scan but since Zap Spider is not following the redirect, it is unable to spider those pages that need a successful login. Please advise. Much appreciated

[Simon Bennetts]

If a conversation is over 5 years old then start a new one ;)

In any case - how have you configured authentication and how are you running the spider?

Cheers,

Simon

[Div Cache]

Hi Simon,

Thanks for your prompt response. I configured authentication via setting up a context as shown in the attached screenshot. If I remember correctly previous version had a Follow Redirect check box in the Spider --> Show Advanced Options. But not it seems gone. I also noticed in the zap code in git: I suspect it may be due to this. But by restricting the sipder not to follow redirect, in my opinion it is defeating the purpose of authenticated scan whereby you supply the credentials to Zap so that it can spider the website unhindered by the login page. 

zap/src/main/java/org/zaproxy/zap/spider/Spider.java

• Java
·
• main

529 httpSender.setUseGlobalState(
530 httpSender.isGlobalStateEnabled() || !spiderParam.isAcceptCookies());
531

532 // Do not follow redirections because the request is not updated, the redirections will be
533 // handled manually.
534 httpSender.setFollowRedirect(false);
535

 Thanks so much

[Simon Bennetts]

Dont jump to conclusions ;)

And please try to answer all of the questions we ask - we often ask specific questions for very deliberate reasons.

I have various suspicions as to why its not working for you, but I dont want to jump to conclusions either :P

So .. how are you running the spider?

Details please - details are important..

Cheers,

Simon

[Div Cache]

:D guilty as charged. Truly appreciate you taking time to help. please find attached the step by step i used. Hope this can throw some light.

[Simon Bennetts]

Thanks - that makes things clearer.

First of all, turn off Forced User Mode.

That should not be used with authenticated scans, we should probably disable it if you try to use the 2 together.

Next check the Output panel - can you see messages about authentication?

Cheers,

Simon

[Div Cache]

Thanks! I did as suggested. Pls review the attached screenshot. The output states: Authentication Successful, but the Request still indicates ZAP / ZAP as username and password even though I used user / user and Response still indicates 302. I guess the Request & Response are not reflecting the authentication successful transaction.

[Simon Bennetts]

The answer is in the output tab: "No indicators have been set for identifying authentication".

You havnt told ZAP how to work out if it is authenticated or not.

https://www.zaproxy.org/docs/authentication/concepts/#verification-strategies

Cheers,

Simon

[Div Cache]

Yes, however I would only get that indicator via the Response, but unfortunately Zap is not following the redirect as you can see, ZAP is stuck with the 302 response. In previous version, Zap used to follow the redirect and i was able to send the failed login response as a log-out indicator as shown in the attached screenshots.

[thc...@gmail.com]

Which ZAP version?

When checking the response you need to take into account redirections
always, not all components of ZAP (e.g. scan rules) will follow
redirects by default so you will still need to know if you are
authenticated or not.

If you check the FAQ entry for DVWA you will notice that it checks the
redirects as well (e.g. Location header).
https://www.zaproxy.org/faq/details/setting-up-zap-to-test-dvwa/


Best regards.

>>>>>>> zap/src/main/java/org/zaproxy/zap/spider/Spider.java
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L532>
>>>>>>>
>>>>>>> -
>>>>>>> Java
>>>>>>> ·
>>>>>>> - main
>>>>>>> <https://github.com/zaproxy/zaproxy/tree/main>
>>>>>>>
>>>>>>> 529
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L529>
>>>>>>> httpSender.setUseGlobalState(
>>>>>>> 530
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L530>
>>>>>>> httpSender.isGlobalStateEnabled() || !spiderParam.isAcceptCookies());
>>>>>>> 531
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L531>
>>>>>>>
>>>>>>> 532
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L532> //

>>>>>>> Do not follow redirections because the request is not updated, the
>>>>>>> redirections will be
>>>>>>> 533

>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L533> //
>>>>>>> handled manually.
>>>>>>> 534
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L534>
>>>>>>> httpSender.setFollowRedirect(false);
>>>>>>> 535
>>>>>>> <https://github.com/zaproxy/zaproxy/blob/7f9b6c4e6a3aa1f5374a1f9c5fbed4bd67393dd6/zap/src/main/java/org/zaproxy/zap/spider/Spider.java#L535>

>>>>>>>>>>> *302*

[Simon Bennetts]

You may be right .. but you have access to more info than I have.

Based on the info you have shared with me I think ZAP will not be attempting to authenticate.

The Sites Tree link does not necessarily show the request ZAP is making to authenticate.

Set at least one of the indicators and then try again, letting us know what is shown in the Output tab.

If it looks like ZAP is authenticating then look at the requests and responses in the History tab.

Those are the key ones.

Cheers,

Simon

[Div Cache]

Hi, This version when Zap followed the redirect was 2.12.0. Thanks for the  FAQ entry for DVWA i will try to follow that and see. Much appreciated.

[Div Cache]

HI Simon, Thanks! Using the manual request editor i was able to capture flags as context and filled the login and log-out indicators details as shown in the screenshot. It does show authentication successful. However, the History tab still does not show the login successful transaction, it just indicates 302 found as shown.