ZAP Authentication failing.

[Mahidhar]

Hey Simon, 

I am opening frontend website using domain.net and its hitting backend company.net another server.

This is my automation file. The login url actually has a custom header so i injected using loginRequestHeaders  which is the customer name. Still i am getting login failed in the auth report.

I have used browser based script as well, with auto detect mode and pollUrl as well post authentication still i am getting error. 
For browser based automation i am getting error
"summaryItems": [
                {
                        "description": "Authentication failed",
                        "passed": false,
                        "key": "auth.summary.auth"
                },
                {
                        "description": "Username field identified",
                        "passed": true,
                        "key": "auth.summary.username"
                },
                {
                        "description": "Password field identified",
                        "passed": true,
                        "key": "auth.summary.password"
                },
                {
                        "description": "Session Handling identified",
                        "passed": true,
                        "key": "auth.summary.session"
                },
                {
                        "description": "Verification URL identified",
                        "passed": true,
                        "key": "auth.summary.verif"
                }
        ]

        ,"failureReasons": [
                {
                        "key": "auth.failure.no_successful_logins",
                        "description": "No successful logins."
                },
                {
                        "key": "auth.failure.logged_in",
                        "description": "No indication found of being logged in."
                }
        ]

env:

vars:

hosts: &ref_0

- https://domain.net

- https://company.net

contexts:

- name: ZAP-Context-1772029837480

urls: *ref_0

includePaths:

- https://domain.net/.*

- https://company.net/.*

excludePaths:

- https://example.com/logout.*

- https://domain.net/auth/logout.*

- https://company.net/api/customers/istrustenabled?customerCode=SBIBANK

authentication:

method: json

parameters:

loginPageUrl: https://domain.net/auth/login

loginRequestUrl: https://company.net/api/clogin

loginRequestBody: |-

{

"loginId": "{%username%}",

"password": "{%password%}"

}

loginRequestHeaders: |-

Content-Type: application/json

customer-name: ExampleCustomer

loginPageWait: 10

verification:

method: response

loggedInRegex: Login Authenticated

sessionManagement:

method: headers

parameters:

Authorization: Bearer {%json:results.accessToken%}

customer-name: ExampleCustomer

users:

- name: zap-user

credentials:

username: vdummyuser

password: cDyctpvGocOoBgsjIeUBIQe0Kvfa9LLTGTv8ps1gCtLdtI5P1Y+lIOunAi1F+b0oPd7qR2AHUDwh/Q2nNvPJlqy6jOK6dY+71OqGwrKIwFmVM+5EhpfY5CGJg+RjlR4+WlcekKOQZbXmoG9rWF4X2b4r6HvwHM3w/8ezKYhaPR5/EkScMdS1Q/E+gYWj2Co7y2wJcAIKAEgOUhOed3rbGmgt5rPvTmaVY5Bte/il7V7oOFkIxtudkYeM/MMPcI9QUZmSm+h6nJ3WJtalSQBkygR7Dam/99MhiDM6Q3KE7mU9ZO+5BLX8jzZ6Rg+GQZ27W80Cp/PdP52VlQXCX99EQ==

parameters:

failOnError: true

failOnWarning: false

progressToStdout: true

continueOnFailure: false

jobs:

- name: spider

type: spider

parameters:

user: zap-user

context: ZAP-Context-1772029837480

maxDepth: 5

maxChildren: 25

maxDuration: 2

- name: auth-json-report

type: report

parameters:

template: auth-report-json

reportDir: /zap/reports

reportTitle: ZAP Authenticated Report as JSON

reportFile: auth-report.json

[Mahidhar]

never mind, I have fixed it. Quite complicated ZAP.

[Simon Bennetts]

Thts good to hear.

ZAP is quite complicated because web apps can work in so many weird and wonderful ways ;)

Do you have any specific suggestions as to how we could make ZAP easier to use and understand?

Cheers,

Simon

[Sai Mahidhar]

Hi Simon, Sure will share some important lessons i learnt, probably that helps in better documentation.

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/49d7adfe-0889-4b88-9858-6821e3582b14n%40googlegroups.com.