Authentication Report

187 views
Skip to first unread message

Julia Khanbekova

unread,
Jun 6, 2025, 8:47:10 AM6/6/25
to ZAP User Group
Hi, Simon!

I have some questions regarding the authentication report.
I'm testing report generation on a locally deployed bWAPP application (Docker image raesene/bwapp), using browser-based authentication.

  1. In my report, the diagnostic structure is empty. Why could this happen?
  2. I'm entering incorrect credentials, but the field auth.summary.auth still returns true. However, I believe the authentication actually failed, since the HTML report doesn't include any URLs that are available only after login. Could you explain this behavior?
  3. My report doesn't include the statistics described in the documentation: auth.failure.login_failures, auth.failure.overall, and auth.failure.pass_count. How can I include them?
I'm attaching the YAML file I'm using to run the automation framework. I'm using ZAP 2.16.1.
scan_file_fail_bwapp.yaml

Simon Bennetts

unread,
Jun 10, 2025, 11:28:11 AM6/10/25
to ZAP User Group
Replies inline:

On Friday, 6 June 2025 at 13:47:10 UTC+1 juliaka...@gmail.com wrote:
Hi, Simon!

I have some questions regarding the authentication report.
I'm testing report generation on a locally deployed bWAPP application (Docker image raesene/bwapp), using browser-based authentication.

  1. In my report, the diagnostic structure is empty. Why could this happen?
The diagnostics are not collected by default.
 
  1. I'm entering incorrect credentials, but the field auth.summary.auth still returns true. However, I believe the authentication actually failed, since the HTML report doesn't include any URLs that are available only after login. Could you explain this behavior?
Have you checked that autodetection worked?
You can set the verification methos to "autodetect" as well, although "poll" with a blank URL should work.

Next up, you have not excluded any logout endpoints or logout elements from the AJAX Spider. Theres a very good chance that the spiders are getting logged out before progressing too far.

As you may have seen we've just published some guidance re some vulnerable apps: https://www.zaproxy.org/docs/testapps/
It takes a while to check everything, but bWAPP is on the list.

If you get it working before we get to it then any details would help us, as would a full website PR of course :D
  1. My report doesn't include the statistics described in the documentation: auth.failure.login_failures, auth.failure.overall, and auth.failure.pass_count. How can I include them?
All non xero stats are included, you do not need to do anything.
 
I'm attaching the YAML file I'm using to run the automation framework. I'm using ZAP 2.16.1.

Cheers,

Simon 

Julia Khanbekova

unread,
Jun 19, 2025, 2:13:54 AM6/19/25
to ZAP User Group
Hi Simon!

Thanks for the answer!

I changed the verification method to autodetect and now the authorization report is generated correctly with correct/incorrect credentials for browser authorization

However, I encountered an issue with the generation of the authorization report for json-based authorization (use owasp juice shop). I'm attaching the YAML plan for your reference.
Could you please take a look and let me know what might be causing the problem?
zap.yaml

Simon Bennetts

unread,
Jun 20, 2025, 4:42:22 AM6/20/25
to ZAP User Group
Hi Julia,

You have specified the reportDir as /zap

I'm guessing that you are running ZAP in a docker image.
If so then thats not a good directory to use as it will not be accessible after the docker container exits.

You will need to map a local directory and make sure that ZAP can write to it.

Cheers,

Simon

Julia Khanbekova

unread,
Jun 20, 2025, 5:47:04 AM6/20/25
to ZAP User Group
No, I run the scan not through docker but through zap.sh

Julia Khanbekova

unread,
Jun 20, 2025, 6:01:59 AM6/20/25
to ZAP User Group
In the html report I see that authorization was successful and the received token is substituted into all other requests. For example, whoami returned
{
    "user": {
        "id": 22,
        "email": "test",
        "lastLoginIp": "undefined",
        "profileImage": "***"
    }
}

But the authorization report shows that authorization failed

Simon Bennetts

unread,
Jun 20, 2025, 7:02:07 AM6/20/25
to ZAP User Group
Ah, you said "I encountered an issue with the generation of the authorization report".
I assumed you meant that the report failed to generate.
Can you give us more details of what exactly failed?

Cheers,

Simon

Julia Khanbekova

unread,
Jun 20, 2025, 7:47:42 AM6/20/25
to ZAP User Group
The report was created, but it says that authorization failed:

 ,"summaryItems": [
  {
   "description": "Authentication failed",
   "passed": false,
   "key": "auth.summary.auth"
  },

Simon Bennetts

unread,
Jun 20, 2025, 7:51:38 AM6/20/25
to ZAP User Group
That tells me nothing :) 
What else does the report say?

Julia Khanbekova

unread,
Jun 20, 2025, 7:57:19 AM6/20/25
to ZAP User Group
My question is to understand the behavior.
The authorization report says that authorization failed. But in the html report I see that authorization passed because the received token is substituted into all other requests. For example, whoami returned

{
    "user": {
        "id": 22,
        "email": "test",
        "lastLoginIp": "undefined",
        "profileImage": "***"
    }
}
This structure in owasp juice shop is output in case of successful authorization.

Why is it incorrectly determined in the authorization report that authorization failed? Maybe I set the wrong settings?
zap.yaml

Simon Bennetts

unread,
Jun 20, 2025, 8:19:26 AM6/20/25
to ZAP User Group
Why did it fail?
Any number of reasons.

How can we tell what failed?
Look at the rest of the report :D

FYI your config does not look like the one we recommend,.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages