Form based authentication on AJAX Spider fails

[christian kolbl]

Hi,

I am trying to spider a site behind a form-based authentication.

Let's say my username=testuser and my password=123 and the input fields are called "username" and "password".

So I added "username" and "password" to

- Form Handler

- Context:

-- Authentication:

--- TargetURL=the URL from the "action"-attribute

--- URL to GET Login Page: localhost:8765/myloginpage

--- POST data: username={%username%}&password={%password%}

--- Username Parameter: username

--- Password Parameter: password

-- User: testuser

-- ForcedUser: testuser

Session- and CSRF-cookies seem to be recognized correctly (JSESSIONID & _csrf)

AJAX Spider dialog:

- "Use random values in form field" -> disabled

- Context: Default (since it's the only one I have)

- User: testuser

Remarks:

- The "URL to GET Login Page" is a generic page which is one login page, let's say localhost:8765/myloginpage with a lot of GET-parameters like "clientId", "redirect_uri", "nonce", ... I cannot figure out how this comes into play.

- When looking at the logs of the AJAX spider i do see a 200-response but

1. i cannot "see" the actual page during spidering with a non-headless browser

2. the site is a single page application. the response includes the application's response for disabled JavaScript ("this site doesn't work properly without JavaScript enabled".)

Now I am totally confused. Am I doing something wrong? Has the site been spidered?

And: How to configure the credentials from the sider for the Attack-mode?

Many thanks,

Christian

[Simon Bennetts]

Hi Christian,

Thats not the right way to handle this situation.

You need to configure ZAP to handle the authentication.

Have a look at https://www.zaproxy.org/docs/desktop/start/features/authentication/ and the videos tagged with "authentication" on https://www.zaproxy.org/videos-list/

We do have some new authentication docs at https://www.zaproxy.org/docs/authentication/ but these are still being worked on.

Cheers,

Simon