PREVISION AUTHENTICATION TESTER DOCKER

122 views
Skip to first unread message

Nicollas Teixeira

unread,
Aug 28, 2023, 4:12:22 PM8/28/23
to ZAP User Group
Hey guys! I've been trying to automate the login with zap for docker for some time but it seems complicated... the ideal for my case would be something similar to authentication tester in the GUI because it works perfectly... I need to automate login for authenticated pages for different urls and many sometimes I don't have access to all of them to be able to customize the settings and then the authentication tester comes in that would do all this configuration for me

Nicollas Teixeira

unread,
Aug 28, 2023, 4:13:30 PM8/28/23
to ZAP User Group
I would like to know if there is any forecast for the launch of something precise like the authentication tester for docker version

psiinon

unread,
Aug 29, 2023, 3:19:32 AM8/29/23
to zaprox...@googlegroups.com
Hiya,

So the Authentication Tester is designed to only work in the GUI, because its for manual checking.
OK, so you can run it using the ZAP GUI in Docker via WebSwing but I'm guessing you want to automate this.
However if it works then ZAP will be able to authenticate in docker / automation using the same underlying mechanisms as described on https://www.zaproxy.org/blog/2023-05-02-authentication-auto-detection/

Have a look at that and let us know if you have any questions.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e3d44994-5c3d-438a-8eba-8356311bd165n%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 8:46:07 AM8/29/23
to ZAP User Group
Oh thanks, it will probably work, just one more question, I configured the automation yaml file and when I run the automation it has the functionality I need, it manages to create the request for login, the problem is that it is putting %username% twice instead of putting %password% in the place of password, would I configure the order of this in the yaml file?3432d.png

psiinon

unread,
Aug 29, 2023, 8:53:00 AM8/29/23
to zaprox...@googlegroups.com
From what I can see that is right.
The %username% and %password% strings are tokens - ZAP replaces these with the relevant values for the user you select.
You should not need to make any changes.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2cefdded-21fd-4fbd-aaaa-d676b1dad1d4n%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 9:01:50 AM8/29/23
to ZAP User Group
Yeah, but look:

zap configured it this way
username={%username%}&password={%username%}

it should be
username={%username%}&password={%password%}

and it would work perfectly.  With the wrong replacement, its replacing password with the username value.

psiinon

unread,
Aug 29, 2023, 9:04:46 AM8/29/23
to zaprox...@googlegroups.com
Oh, yeah, right :)
Yes, you need to change that manually.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6dc552e4-40d8-4f58-a6e0-2d23abcd98dfn%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 9:06:42 AM8/29/23
to ZAP User Group

Ohh okay, i thought it could recognize and replace username on the username field and password in the username password... i will customize the yaml and check what i can do lol, thanks again Simon

psiinon

unread,
Aug 29, 2023, 9:11:34 AM8/29/23
to zaprox...@googlegroups.com
Yes, it would be better if it did this :)
However as you are configuring that manually ZAP probably doesnt know at that stage which way around the username and passwords are.
It should work correctly with autodetection because you will have told ZAP the credentials.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4761926a-eeca-4348-a276-4ca2cd368bd4n%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 10:07:55 AM8/29/23
to ZAP User Group
yes, it is all set up with autodetect but it is still getting confused when putting username and password, it is repeatedly putting the username

psiinon

unread,
Aug 29, 2023, 10:23:20 AM8/29/23
to zaprox...@googlegroups.com
OK, thats a bug.
Can you raise it as one?
I'll aim to look at it asap..

Many thanks,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ba7fed3e-70fc-4a19-82bc-a929b72685f6n%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 10:43:07 AM8/29/23
to ZAP User Group

Sure, i will open an issue, thanks for the fast answer Simon and thanks for helping me

Nicollas Teixeira

unread,
Aug 29, 2023, 10:53:39 AM8/29/23
to ZAP User Group
Done!

https://github.com/zaproxy/zaproxy/issues/8035

psiinon

unread,
Aug 29, 2023, 10:54:41 AM8/29/23
to zaprox...@googlegroups.com
Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/23fd8963-03e7-45a4-8930-92565101429cn%40googlegroups.com.


--
ZAP Project leader

Nicollas Teixeira

unread,
Aug 29, 2023, 3:27:09 PM8/29/23
to ZAP User Group
Hey Simon, just saw you guys added a label add-on on my issue, i would like to know when it will probably be released, if you have this metrics

thc...@gmail.com

unread,
Aug 29, 2023, 3:36:29 PM8/29/23
to zaprox...@googlegroups.com
The add-ons can be released anytime, but the issue needs to be fixed
first. :) (The issue will be closed in that case.)


Note that the labels are indicative and they might change (e.g. if the
issue ends up being in core instead of an add-on).

Best regards.
>>>>>>>>>>>>> <https://www.zaproxy.org/docs/docker/webswing/>but I'm
>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/e3d44994-5c3d-438a-8eba-8356311bd165n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from
>>>>>>>>>>>> it, send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>>
>>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/2cefdded-21fd-4fbd-aaaa-d676b1dad1d4n%40googlegroups.com
>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/2cefdded-21fd-4fbd-aaaa-d676b1dad1d4n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>>> Groups "ZAP User Group" group.
>>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>
>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/6dc552e4-40d8-4f58-a6e0-2d23abcd98dfn%40googlegroups.com
>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/6dc552e4-40d8-4f58-a6e0-2d23abcd98dfn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> ZAP <https://www.zaproxy.org/> Project leader
>>>>>>>>>
>>>>>>>> --
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "ZAP User Group" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>
>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/4761926a-eeca-4348-a276-4ca2cd368bd4n%40googlegroups.com
>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/4761926a-eeca-4348-a276-4ca2cd368bd4n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> ZAP <https://www.zaproxy.org/> Project leader
>>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ZAP User Group" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>>> an email to zaproxy-user...@googlegroups.com.
>>>>>>
>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/zaproxy-users/ba7fed3e-70fc-4a19-82bc-a929b72685f6n%40googlegroups.com
>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/ba7fed3e-70fc-4a19-82bc-a929b72685f6n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ZAP <https://www.zaproxy.org/> Project leader
>>>>>
>>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "ZAP User Group" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to zaproxy-user...@googlegroups.com.
>>>
>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/zaproxy-users/23fd8963-03e7-45a4-8930-92565101429cn%40googlegroups.com
>>> <https://groups.google.com/d/msgid/zaproxy-users/23fd8963-03e7-45a4-8930-92565101429cn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> ZAP <https://www.zaproxy.org/> Project leader
>>
>

Nicollas Teixeira

unread,
Aug 29, 2023, 4:07:01 PM8/29/23
to ZAP User Group
oh okay thc thanks, I hope this comes soon

Nicollas Teixeira

unread,
Aug 31, 2023, 11:25:23 AM8/31/23
to ZAP User Group
Hey Simon, I learned to use the automation framework better and managed to authenticate myself and do authenticated spidering, the problem is being the scan, it is being done empty, below is my script and print of the active scan

---
env:
  contexts:
  - name: "AUTOMATED"
    urls:
    includePaths:
    excludePaths: []
    authentication:
      method: "browser"
      parameters:
        loginPageUrl: "http://x/WebGoat/login"
        browserId: "firefox-headless"
        loginPageWait: 20
      verification:
        method: "autodetect"
    sessionManagement:
      method: "autodetect"
      parameters: {}
    technology:
      exclude: []
    users:
    - name: "auth"
      credentials:
        password: "password"
        username: "administrator"
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters:
    scanOnlyInScope: true
    enableTags: false
    disableAllRules: false
  rules: []
  name: "passiveScan-config"
  type: "passiveScan-config"
- parameters:
    context: "AUTOMATED"
    user: "auth"
    maxDuration: 0
    maxDepth: 0
    maxChildren: 0
    acceptCookies: true
    handleODataParametersVisited: false
    handleParameters: "IGNORE_COMPLETELY"
    maxParseSizeBytes: 0
    parseComments: false
    parseGit: false
    parseRobotsTxt: false
    parseSitemapXml: false
    parseSVNEntries: false
    postForm: true
    processForm: true
    requestWaitTime: 0
    sendRefererHeader: false
    userAgent: ""
  tests:
  - onFail: "INFO"
    statistic: "automation.spider.urls.added"
    site: ""
    operator: ">="
    value: 10
    name: "At least 10 URLs found"
    type: "stats"
  name: "spider"
  type: "spider"
- parameters:
    context: "AUTOMATED"
    user: "auth"
    maxDuration: 999999
    maxCrawlDepth: 999999
    numberOfBrowsers: 10
    maxCrawlStates: 0
    eventWait: 1000
    reloadWait: 1000
    clickDefaultElems: true
    clickElemsOnce: true
    randomInputs: true
    inScopeOnly: true
    runOnlyIfModern: false
    excludedElements: []
  tests:
  - onFail: "INFO"
    statistic: "spiderAjax.urls.added"
    site: ""
    operator: ">="
    value: 100
    name: "At least 100 URLs found"
    type: "stats"
  name: "spiderAjax"
  type: "spiderAjax"
- parameters:
    maxDuration: 0
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters:
    context: "AUTOMATED"
    user: "auth"
    policy: ""
    maxRuleDurationInMins: 0
    maxScanDurationInMins: 0
    addQueryParam: true
    delayInMs: 0
    handleAntiCSRFTokens: true
    injectPluginIdInHeader: true
    scanHeadersAllRequests: true
    threadPerHost: 8
  policyDefinition:
    defaultStrength: "insane"
    defaultThreshold: "high"
    rules: []
  name: "activeScan"
  type: "activeScan"
- parameters:
    template: "risk-confidence-html"
    reportDir: "C:\\x"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
  name: "report"
  type: "report"




Captura de tela 2023-08-31 122306.pngCaptura de tela 2023-08-31 122358.png

Its like a ghost scan, no requests lol, could you help me?
Message has been deleted

Nicollas Teixeira

unread,
Aug 31, 2023, 12:42:03 PM8/31/23
to ZAP User Group
The spider worked correctly, it found all the expected urls, the problem occurs in the active scan step

Em quinta-feira, 31 de agosto de 2023 às 13:01:52 UTC-3, psi...@gmail.com escreveu:
Thats weird :/

OK, lets take this one step at a time - home many URLs do the spiders find?
Does it look to be as many as you expect?

Cheers,

Simon

kingthorin+zap

unread,
Aug 31, 2023, 2:01:13 PM8/31/23
to ZAP User Group
I wonder if it has something to do with passing "" (empty string) as the policy?

Nicollas Teixeira

unread,
Aug 31, 2023, 2:20:18 PM8/31/23
to ZAP User Group
it didn't interfere... I've tried leaving it without that parameter and the result is the sameit didn't interfere... I've tried leaving it without that parameter and the result is the same

Simon Bennetts

unread,
Sep 4, 2023, 10:04:01 AM9/4/23
to ZAP User Group
Strange - I cant see anything obviously wrong.
Are there any errors in the zap.log file?

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages