AJAX Spider browser continues to refresh
103 views
Skip to first unread message
Samee Ijaz
Apr 16, 2021, 12:54:54 PM4/16/21
to OWASP ZAP User Group
Hello,
When we authenticate to a site using script based authentication script, it successfully logs in on the first window thats opened by selenium webdriver with no issues. The session is established using two cookies (AuthSSOCookie and JSESSIONID).
The issue is when we run AJAX spider which starts opening a new window and this window keeps on refreshing. We examined the HTTP Sessions for authenticated window where user was successfully logged in and the second window which AJAX opened, and noticed that AuthSSOCookie keeps changing and the browser keeps refreshing but the JSESSIONID is constant throughout all browser windows.
We think the issue is that we need to grab the AuthSSOCookie token from 1st authenticated window and pass it to all subsequent requests, to force ajax spider window based off 1st window session not treated as a new session.
We are seeking for your advice on how can we grab AuthSSSOcookie and pass it to all subsequent requests?
Thanks
Regards
Samee
When we authenticate to a site using script based authentication script, it successfully logs in on the first window thats opened by selenium webdriver with no issues. The session is established using two cookies (AuthSSOCookie and JSESSIONID).
The issue is when we run AJAX spider which starts opening a new window and this window keeps on refreshing. We examined the HTTP Sessions for authenticated window where user was successfully logged in and the second window which AJAX opened, and noticed that AuthSSOCookie keeps changing and the browser keeps refreshing but the JSESSIONID is constant throughout all browser windows.
We think the issue is that we need to grab the AuthSSOCookie token from 1st authenticated window and pass it to all subsequent requests, to force ajax spider window based off 1st window session not treated as a new session.
We are seeking for your advice on how can we grab AuthSSSOcookie and pass it to all subsequent requests?
Thanks
Regards
Samee
Samee Ijaz
Apr 20, 2021, 4:43:04 PM4/20/21
to OWASP ZAP User Group
Hi All,
Can anyone please provide an update on above question. thank you
Regards
Samee
Samee
Simon Bennetts
Apr 21, 2021, 4:30:03 AM4/21/21
to OWASP ZAP User Group
You could write a an HttpSender script which looks for the AuthSSOCookie being set, stores it in a script variable and then when it is set injects it into the relevant future requests.
I _think_ this script does something similar: https://github.com/zaproxy/community-scripts/blob/master/httpsender/greenbone-maintain-auth.js
Reply all
Reply to author
Forward
0 new messages