Dout in Form based authentication
100 views
Skip to first unread message
Akhil h
Mar 22, 2025, 9:51:39 AMMar 22
to ZAP User Group
Dear Friends,
My name is Akhil, and i have dout on "Form based Authentication."
I will repoduce the steps for more convenience:
Step 1: We capture the post request
Step 2: Then click right button , and select the "Flag as context."
Step 3: Select "context name" have you add in context.
Step 4: (This session has my dout in URL) ---> Credential are Requesting through API , and it has port number 3030 to connect the server.
But the current URL Website has different parmas as ===> https://yyy/login
credential passing through Api Url is ==> https://yyy:3030/onboarding/login
Please ensure the target url and url to get the login page?
Step 3: Select "context name" have you add in context.
Step 4: (This session has my dout in URL) ---> Credential are Requesting through API , and it has port number 3030 to connect the server.
But the current URL Website has different parmas as ===> https://yyy/login
credential passing through Api Url is ==> https://yyy:3030/onboarding/login
Please ensure the target url and url to get the login page?
Step 5: Select "User" option , and enter the "valid username" and "valid password."
Step 6: Ensure the forced user dropdown field to select the particular option (have u entered in " user" session).
Step 7: On main page, select the "manual explorer." in Url field, User enter the navigation path (https://yyy/dashboard) ==>(it will skip authentication page and navigate to the dashboard page )
Issues: When the user run the zap, it displays Authentication failed message on output session; it not navigating to dashboard session
Dout in "Step 4." is mentioned above.
How to resolve this ....
Step 6: Ensure the forced user dropdown field to select the particular option (have u entered in " user" session).
Step 7: On main page, select the "manual explorer." in Url field, User enter the navigation path (https://yyy/dashboard) ==>(it will skip authentication page and navigate to the dashboard page )
Issues: When the user run the zap, it displays Authentication failed message on output session; it not navigating to dashboard session
Dout in "Step 4." is mentioned above.
How to resolve this ....
kingthorin+zap
Mar 22, 2025, 9:52:53 AMMar 22
to ZAP User Group
For all things Authentication start here: https://www.zaproxy.org/docs/authentication/
Akhil h
Mar 22, 2025, 10:05:53 AMMar 22
to ZAP User Group
Hi kingthorin,
First of all, thanks for replying.
But sorry, I cant find absolute solution for my Question .
First of all, thanks for replying.
But sorry, I cant find absolute solution for my Question .
Bruno Ronda
Mar 22, 2025, 1:38:46 PMMar 22
to ZAP User Group
Hi Akhil,
To make sure I understood correctly: your problem is that the URL flagged as "your-context-form-based-authentication" is this: https://yyy/login whereas the credentials are passed through an API call here: https://yyy:3030/onboarding/login? Please confirm.
Warmly,
Bruno
Bruno Ronda
Mar 22, 2025, 1:49:06 PMMar 22
to zaprox...@googlegroups.com
Hi Akhil,
Looking at your screenshots it seems you use the same parameter "email" for both username and password fields in ZAP. Kindly check that and confirm my earlier query...
Bruno
--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/AugtDiSUitg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/e228dbdd-2ae1-469d-bef7-790927c97ff4n%40googlegroups.com.
Akhil h
Mar 24, 2025, 12:37:28 AMMar 24
to ZAP User Group
Hi Vic
Thank you for your reply. Yes, i confirm the same
Thank you for your reply. Yes, i confirm the same
Akhil h
Mar 24, 2025, 12:49:32 AMMar 24
to ZAP User Group
Hi Vic
When we flag as context ---— at that time, it was stored like this. We can edit the username and password, it's not problèm. (Note: We want to give the valid credential in "User" )
When the credential is invalid , or not taken by the field, it is displayed as a toaster on the browser: "Please fill all the fields." So, it not the problem -----> The problem is in API URL -----> because, when we copy the API URL on the browser for the search, it displays the comments I have mentioned below.
When we flag as context ---— at that time, it was stored like this. We can edit the username and password, it's not problèm. (Note: We want to give the valid credential in "User" )
When the credential is invalid , or not taken by the field, it is displayed as a toaster on the browser: "Please fill all the fields." So, it not the problem -----> The problem is in API URL -----> because, when we copy the API URL on the browser for the search, it displays the comments I have mentioned below.
Simon Bennetts
Mar 24, 2025, 1:19:15 PMMar 24
to ZAP User Group
Follow the instructions on https://www.zaproxy.org/docs/authentication/
If they do not work for you then let us know at which point they dont work and let us know exactly what happens.
Bruno Ronda
Mar 25, 2025, 4:45:04 AMMar 25
to zaprox...@googlegroups.com
Hi Akhil,
Is it a simple form with static fields only? No tokens or any other one-time values that are regenerated with each request/response? What happens if you use the same authentication request that succeeded and resend it using the ZAP's Manual Request Editor (not browser)?
Warmly,
Bruno
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/861ef1b1-9648-410d-940b-bd22ea68a523n%40googlegroups.com.
Akhil h
Mar 25, 2025, 7:46:52 AMMar 25
to ZAP User Group
Hi bruno
Thank you for your reply. I have tried in all scenarios. But i not get an expected
result .
Main problem, I think only URL?
I have tired in another application; its working. So our procedure is right!
Thanks and regards
Akhil
Thank you for your reply. I have tried in all scenarios. But i not get an expected
result .
Main problem, I think only URL?
I have tired in another application; its working. So our procedure is right!
Thanks and regards
Akhil
Bruno Ronda
Mar 25, 2025, 8:31:03 AMMar 25
to zaprox...@googlegroups.com
Hi Akhil,
The general procedure may be right, but the app being tested may have its own particularities that get on the way. Maybe record a Zest script for authentication, replay it, and see how it goes? If it works fine you could consider changing your context authentication settings to the Zest script, instead of form-based.
Warmly
Bruno
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/e0926b93-3403-4bb8-960a-f248e6812b08n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages