ZAP Authentication problem in API calls

[Janitha Tennakoon]

Hi, I am using ZAP API calls to test a site using command line. But I have a problem with the user authentication even though I am following the correct steps. But I still can't manage to pass the login page when spider as a user. Below are the steps that I am follwing.

1.Include in the context (context/includeContext)

2.Change Authentication Method to formBased. (authentication/setAutenticationMethod)

Here I only pass contextID,authMethodName and in authMethodConfigParams only the logiunUrl. Not the loginrequestData. Even

when I pass loginRequestData like username=****&password=**** it still fails.

3.Set the login Indicator (authentication/setLoggedInIndicator)

4.Enable auto Reauthentication (auth/autoReauthON)

5.Add a new user (users/nweUser)

6.Set credentials for user ( users/setAuthenticationCredentials)

7.Enable user (users/setUserEnabled)

8.Spider as the new user (spider/scanAsUser)

But in spidering it cannot get pass the log in page. When I Open the UI application all the API calls have been worked and all the settings 

have been configured on the session properties. But when I check the POST request it is as below.

username=ZAP&password=ZAP&rememberMe=true

I think this is the problem. Why doesn't it take the new users credentials??

Thanks in advance

[thc...@gmail.com]

Hi.

In step #2 you also need to set the username and password replacement
tokens {%username%} and {%password%}, respectively. Otherwise ZAP will
not know where to inject the username/password of the selected user
during login.
The field loginRequestData should look like:
username={%username%}&password={%password%}

Step #4 is not needed since you're spidering as an user, that would be
needed only if you were not specifying the user.
Note that auth API is deprecated, to enable re-authentication you should
now use the forcedUser API [1].


[1] https://code.google.com/p/zaproxy/wiki/ApiGen_forcedUser

Best regards.

[Janitha Tennakoon]

 

Thanks for the reply.

I removed step 4 from the program. But I can't pass loginRequestData in step 2. I provide contextID , authMethodName correctly. I provide authMethodConfigParams as below.

loginUrl=**********************&loginRequestData=username={%username%}&password={%password%} 

But when I execute this call and confirm it by GUI the loginRequestData field is empty. This is why I did not pass the loginRequestData before because the field is empty after the execute although the Results:OK.

What is the correct way of passing value to authMethodConfigParams??

[thc...@gmail.com]

Hi.

The name/value of parameters of parameter authMethodConfigParams are
expected to be "x-www-form-urlencoded".

For example, with login URL:
http://example.com/login/
and request data:
username={%username%}&password={%password%}
the value of parameter authMethodConfigParams would be:
loginUrl=http%3A%2F%2Fexample.com%2Flogin%2F&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D

Best regards.

[Simon Bennetts]

You can use the ZAP API UI to see the requests in action, which is linked off the "Tools / Browser API" menu.
Its very basic but allows you to try out all of the API calls and see the responses in all formats supported.

Simon

[Janitha Tennakoon]

Thanks thc202. Now I have the authMethodConfigParams correctly. But still I can't past the login page. In the POST request the username is ZAP & password is ZAP. I have the user created and enabled. 

[Janitha Tennakoon]

Yes, I am using the ZAP API UI to confirm my requests. 

[thc...@gmail.com]

It's normal/expected that the spider submits the login form with ZAP/ZAP
as it doesn't know that's the login form, although it should keep
spidering other pages with an authenticated session.
Note that you can exclude the login (and logout) page from the spider so
it doesn't submit it.

Which seeds (i.e. pages) are you using for the spider? Root page?

Could you check, in the "History" tab, that the authentication requests
are being sent (and are successful)?
If no request is being sent then there's still something missing in the
authentication set up.

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Janitha Tennakoon]

I am using Root page for spidering. When using command line tool the history tab is empty. But when I use UI with the same settings it sends the POST requests with the correct username and password with the output saying Authentication Successful . But still cannot pass through the login page.

[Janitha Tennakoon]

Thanks thc202. I finally managed to do it correctly. The problem was parameters that were passed on to spider scanAsUser. Thanks again. 

[Simon Bennetts]

Great.

I dont suppose you could post the sanitized API calls that worked for you? eg in the REST format:

http://zap/JSON/context/action/newContext/?zapapiformat=JSON&contextName=test
http://zap/JSON/context/action/includeInContext/?zapapiformat=JSON&contextName=test&regex=\Qhttp%3A%2F%2Fwww.example.com%3A8080%2Fexample\E.*
etc

We know the API needs to be much more thoroughly documented, and one thing I'd love to see is a set of sanitized 'API recipes' based on real examples from ZAP users.
This could be the first one of them :)

Many thanks,

Simon

[Janitha Tennakoon]

Sorry I will be unable to provide the same exact REST calls. But I will provide the skeleton of the Calls using the following URL.

URL = http://example.com

1.Create a new Context (Creates a new context called "test")

         http://zap/JSON/context/action/newContext/?zapapiformat=JSON&contextName=test

lets assume that the context id of the created context is 1.

2.Include in the context (This is the regex form - \Qhttp://www.example.com\E.*)

         http://zap/JSON/context/action/includeInContext/?zapapiformat=JSON&contextName=test&regex=\Qhttp%3A%2F%2example.com\E.*

3.Set Authentication (Here the authMethodConfigParams should be url encoded, in example I passed authMethodConfigParams as loginUrl=http%3A%2F%2Fexample.com%2Flogin%2F&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D )and Log in Url as   http://example.com/login

        http://zap/JSON/authentication/action/setAuthenticationMethod/?zapapiformat=JSON&contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl%3Dhttp%253A%252F%252Fexample.com%252Flogin%252F%26loginRequestData%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D

4.Set Log in Indicator (I here used "<logout>" as the login indicator)

        http://zap/JSON/authentication/action/setLoggedInIndicator/?zapapiformat=JSON&contextId=1&loggedInIndicatorRegex=%5CQ%3Clogout%3E+%5CE

5.Create new user

          http://zap/JSON/users/action/newUser/?contextId=1&name=User

Lets assume the created user id is 0.

6. Add user credentials (passed username as 'test' and password as 'mypassoword')

          http://zap/JSON/users/action/setAuthenticationCredentials/?zapapiformat=JSON&contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%26password%3Dmypassword

7. Enable user

         http://zap/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true

8. Spider Url as User (The url must be url encoded)

         http://zap/JSON/spider/action/scanAsUser/?zapapiformat=JSON&url=http%253A%252F%252Fexample.com&contextId=1&userId=0

9. Active scan

        http://zap/JSON/ascan/action/scan/?zapapiformat=JSON&url=http%3A%2F%2Fexample.com&recurse=&inScopeOnly=

10.Generate XML Report.

        http://zap/OTHER/core/other/xmlreport/

[Simon Bennetts]

Thats great - many thanks!

Simon

[Mukila Sri]

Hi, I Am new to ZAP and trying to test a website with user authentication using a similar command line tool(dev using python) . Thanks to  Janitha Tennakoon!! The content shared was helpful. I could also see that in OWASP ZAP 2.4.3  Active scan acts a bit different from Active-scan-as-user(active scan done by setting the user and context in the dialog box that pops-up on Crtl+Alt+A). In Active-scan-as-user multiple sessions are created and multiple authentications are carried out, whereas in active-scan only one such action occurs. Is it a expected behavior?? Well if so my assumption is correct and if i try to implement the same using ZAP API calls, both the calls act same. Meaning The ZAP API calls zap.ascan.scan() and zap.ascan.scan_as_user() does act similar. I used the ZAP API in browser(http://zap/UI/ascan/action/) to check the ZAP behavior.  I always observed that even after calling zap.ascan.scan_as_user() with context ID and userID, the Active scan dialog box, with scope tab doesn't set the context and user, every time it requests for a manual selection.  Is there any other option to set this(starting point, context, user) in Active-scan dialog box using API calls?? so that active-scan-as-user can be carried out without manual selection. Between did i miss something that has to be done to active scan as user. Please guide me through.

Thanks in advance,

Mukila