ZAP Authentication - Post Login request contains content-disposition headers
142 views
Skip to first unread message
minkrk
Jun 16, 2023, 5:05:17 PM6/16/23
to OWASP ZAP User Group
Hi,
I am trying to authenticate through ZAP and my post login request looks like this
-----------------------------52901836432436535503711607603
Content-Disposition: form-data; name="username"
hassan-rvm
-----------------------------52901836432436535503711607603
Content-Disposition: form-data; name="password"
word2pass
-----------------------------52901836432436535503711607603
Content-Disposition: form-data; name="browser_id"
null
-----------------------------52901836432436535503711607603
Content-Disposition: form-data; name="verification_code"
-----------------------------52901836432436535503711607603
Content-Disposition: form-data; name="verification_type"
-----------------------------52901836432436535503711607603--
This doesn't work with form-based authentication since the login request post data is not populated. I tried to record Zest Authentication script and used it as context but I am unable to authenticate since my logged-in indicator says 'authentication failure.
Any help in this regard is much appreciated.
Best.
Hassan.
Hassan Sheikh
Jun 19, 2023, 3:55:00 AM6/19/23
to zaprox...@googlegroups.com
Any help in this regard is greatly appreciated.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d9cc0747-6c4a-4c26-a753-a804bf92739dn%40googlegroups.com.
thc...@gmail.com
Jun 19, 2023, 4:24:56 AM6/19/23
to zaprox...@googlegroups.com
Hi.
Is the script working properly? Did you specify the correct
logged-in/out indicators? Without more details is hard to tell what
might be wrong.
Also, worth looking at
https://www.zaproxy.org/blog/2023-05-23-authentication-tester/ as that
might help automatically configure the authentication.
Best regards.
Is the script working properly? Did you specify the correct
logged-in/out indicators? Without more details is hard to tell what
might be wrong.
Also, worth looking at
https://www.zaproxy.org/blog/2023-05-23-authentication-tester/ as that
might help automatically configure the authentication.
Best regards.
psiinon
Jun 21, 2023, 4:44:09 AM6/21/23
to zaprox...@googlegroups.com
Can you see if ZAP can auto detect the authentication for your app?
If so then it will be much easier for you.
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/35fcfdeb-9d16-c206-70fd-043a997840c5%40gmail.com.
--
OWASP ZAP Project leader
Hassan Sheikh
Jun 21, 2023, 5:00:06 AM6/21/23
to zaprox...@googlegroups.com
Hi Simon,
No it gets failed except it pass the user & email test. Session handling and verification URL remain greyed out.
Thanks.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg5_mGiZmYpKF09L0ead%2B8Wyk%2BMm1UJJFSuj_ES%3DdyVBWQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages