ZAP Baseline Not Working With Exported Auth Context

[Max Canada]

Hello,

My apologies if this is the wrong group to post this in. I am a bit new to some of ZAP's features although I have been a long time fan of it :)

I am trying to test some authentication automation and I am trying to do so using the Authentication Tester. I have been able to get it to successfully authenticate into my target using the desktop GUI app. However, when I export the context and try to load and run the context using the zap-baseline executable in the zap-stable docker image, it has difficulty finding the user.

Below is the context users section that I have created. The original export had a hash

<users>

<user>

<name>testy</name>

<enabled>true</enabled>

<credentials>

<username>testy-mctesterson</username>

<password>my kewl kid passwrd</password>

</credentials>

</user>

</users>

Below is the command that I am running with a local export of the context using zap baselinezap-baseline.py -t $TARGET_SITE -d -r zap_report.html -n auth.context -U testy -j -a

Below is the zap-stable image I am pulling in (should be zap 2.16.1)

- https://hub.docker.com/layers/zaproxy/zap-stable/2.16.1/images/sha256-51dbcc578b217ea7563b22a6948f5f41dd2002936fc5148300077f988663b4aa

I am also looking at the following resources as alternative ways of accomplishing my objective and will follow up here if one of them does the trick. I would have expected the above to work though :(

1. https://github.com/zaproxy/zap-api-python/blob/main/src/examples/zap_example_api_script.py
2. https://www.zaproxy.org/docs/desktop/addons/authentication-helper/client-script/

Thank you again for all the help with this! Let me know if I am being silly and missing something obvious,

- Max

[kingthorin+zap]

Are you sure you aren’t using a weekly and hitting this?

https://github.com/zaproxy/zaproxy/issues/9022

[Max Canada]

Hey there kingthorin,

Appreciate the reply!

I checked the docker image being downloaded and it is the zap-stable image according to my CI pipeline. So I don't believe it is that issue although it could be potentially related!

- Max

[Max Canada]

Hey kingthorin,

After some additional investigation, I think you might be correct. I am pulling in the stable docker image, but it might have been a weekly instance because when I explicitly added the 2.16.1 tag everything worked just fine.

Now for the real scrub question: how do I know it is actually scanning my site after it is logged in? I see some of the API calls that indicate it is logged in based on the logs and final report output, but there are some front end sites that are not being hit based on the report so I am curious how the spider works under the hood? Or is there is a recommended way to make it spider again after logging in?

- Max

[Simon Bennetts]

Hi Max,

The ZAP Packaged scans (like the Baseline) are somewhat restrictive.

To have more control over ZAP we recommend using the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/

We have a AF plan which is equivalent to the Baseline here: https://github.com/zaproxy/community-scripts/blob/main/other/af-plans/BaselineExample.yaml

You can update that plan with the context created by the Authentication Tester, just remember to add the user to the spider jobs.

Using the AF will make it easier to get and test the ZAP statistics. You can use these to check that authentication is really working: https://www.zaproxy.org/docs/getting-further/automation/target-scanning-issues/#authentication-failures

How does the spider work under the hood?

Well, there are 3 spiders, and they all work differently!

We have some docs, all linked off here: https://www.zaproxy.org/docs/getting-further/automation/exploring-your-app/

If you have more specific questions that the docs do not appear to cover then please ask here :)

Cheers,

Simon

[Max Canada]

Hey psi,

Appreciate you passing those videos along! They are super informative. I will look into trying to use the AF.

In regards to the spiders, I think the AF is what I am looking for for the moment :)

I want to try logging in, THEN spidering. See if that fixes my issue. As I said earlier, I think it is logging in due to certain backend API reqs being made. But there are some front end reqs that I am not seeing that should be there.

- Max

[Max Canada]

Hey psi,

This was extremely helpful! I am curious what some differences between running the baseline, the GUI and the zap.sh and feeding it an automation script. I ask because the desktop GUI when running the authentication tester seems to work out just fine and log into the app. Using the zap.sh and feeding it an automation framework yaml file that tests for automation and outputs an auth report shows that it couldnt even find the username field. So I am curious what you think the differences might be? They are both hitting the same site, same credentials (the GUI and zap.sh that is).

Let me know if you think I am missing something obvious and being a goober,

- Max

[psiinon]

Hey Max,

The baseline scan is much more restricted than the GUI and the Automation Framework (AF).

For the GUI & AF the code that ZAP runs will be exactly the same, so its going to be either the environment or the configuration.

Cheers,

Simon

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/5c4df92c-303a-461d-a047-b54b2ae1d278n%40googlegroups.com.

--

ZAP Project leader

[Max Canada]

Hey psi,

Appreciate your insights as always.

Yes I am looking more at some of the logs and it looks like the issue stems from the chrome binary not being found when using the zap-stable binary found below

- https://hub.docker.com/r/zaproxy/zap-stable

So I will try adding that in and seeing how that plays :)

Thank you as always! This has been helpful! Sorry for all the pokes!

- Max