Questions about form-based-authentication

[Anderson Christine]

Dear Group and Developers:

Recently, I am trying to use the form-based-authentication function from the Getting Authenticated API Paragraph. After completing the "IncludeContext" API progress, I then tried to use the SetAuthenticationMethod API, but after I use the Postman to send the below URL 

http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?apikey=myprivateapikey&contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=http://localhost:8090/bodgeit/login.jsp%26loginRequestData=username={%username%}%26password={%password%}
the Result returned by Postman  is OK, but The ZAP UI shows like this 

Is it the correct response as the username parameter and password parameter show like this

Thanks a lot and have a nice day ~ 

[psiinon]

Hiya,

No, that does not look correct - the "Login Request POST Data" has not been set.

You may need to escape that part of the URL in some way.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAOeo8wu5ySwHczz3qU1%2B-08QBz8a1ViA4aVSUyow%2BaZDhx%2Buxw%40mail.gmail.com.

--

OWASP ZAP Project leader

[洪嘉佑]

Hi, 

Isn't the  "Login Request POST Data" set by the API - -    "SetAuthenticationMethod" in my URL? or Did I send the wrong URL?  

GET http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?apikey=myprivateapikey&contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=http://localhost:8090/bodgeit/login.jsp%26loginRequestData=username={%username%}%26password={%password%}

If I sent the wrong URL, which part is wrong, and how can I fix it


Thank you

psiinon <psi...@gmail.com> 於 2023年7月5日 週三 下午8:55寫道：

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg6_gNzJNTD%2Bvas7BhL-g0KZMwiOHhTkhnJKG2TK62uoYA%40mail.gmail.com.

[psiinon]

It all depends on how Potman is encoding it.

I would have hoped it would have encoded it correctly, but the fact that ts not shown in the UI implies it didnt.

Its the "{%username%}%26password={%password%}" part that will need encoding.

Try changing it to:

• %7B%25username%25%7D%2526password%3D%7B%25password%25%7D

That was c/o the ZAP Encode/Decode/Hash dialog ;)

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CANzqx1FyCa8T_%2BBGNNemxopuKC_xVAp94k1ph7a7zZO-HmgwUA%40mail.gmail.com.

[洪嘉佑]

Hi,

But I set the  authMethodConfigParams as the document






but the UI still shows like this 

psiinon <psi...@gmail.com> 於 2023年7月5日 週三 下午10:16寫道：

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg6GcPxq9N6py1AxLBBEn000pS486Kg8WEHNP7PcKKcs7w%40mail.gmail.com.

[洪嘉佑]

Hi,
I also found out that I can only send   "username%3D%7Busername%7D" , which means "username={username}" and if I send this, the UI can show like this 



but when I modified it into   "username%3D%7B%25username%25%7D" , which means "username={%username%}"
the UI can't display it anymore 




Also when I type %26, which means "&", the strings after the "%26" can't be displayed either 



I am curious why this happened or if there is something wrong that I don't know 

洪嘉佑 <irving...@gmail.com> 於 2023年7月5日 週三 下午11:17寫道：