OWASP ZAP against Netlify password protected site

[Benjamin Sproule]

I posted this on StackOverflow, but someone recommended to discuss it here.

I need to run OWASP ZAP against one of our sites running on Netlify, but it is password protected (see screenshot for what I mean). For those who don't know how it works, when you visit the site, Netlify returns a 401 with the response of the request being the form. The form takes a password (input name is password) and POSTs it to the same URL (so https://myapp.netlify.app/ returns 401 and then the form POSTs it to https://myapp.netlify.app). I've created the context that should work, but I don't think it likes the 401 being returned as the same URL as the POST.

I'm sure I'm just doing a really stupid thing, but here is the relevant snippet from the config:

<authentication>
    <type>2</type>
    <strategy>EACH_RESP</strategy>
    <pollurl/>
    <polldata/>
    <pollheaders/>
    <pollfreq>60</pollfreq>
    <pollunits>REQUESTS</pollunits>
    <form>
        <loginurl>https://myapp.netlify.app</loginurl>
        <loginbody>password={%password%}</loginbody>
        <loginpageurl>https://myapp.netlify.app</loginpageurl>
    </form>
</authentication>

I also tried this snippet, in case it required the username (the UI kept enforcing the use of username):

<authentication>
    <type>2</type>
    <strategy>EACH_RESP</strategy>
    <pollurl/>
    <polldata/>
    <pollheaders/>
    <pollfreq>60</pollfreq>
    <pollunits>REQUESTS</pollunits>
    <form>
        <loginurl>https://myapp.netlify.app</loginurl>
        <loginbody>username={%username%}&amp;password={%password%}</loginbody>
        <loginpageurl>https://myapp.netlify.app</loginpageurl>
    </form>
</authentication>

[Simon Bennetts]

Hi Benjamin :)

As I mentioned on StackOverflow - debugging authentication flows is _really_ hard without access to the application.

We do have some advice and guidance on https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/#diagnosing-problems

If that doesnt help then let us know which requests ZAP makes as part of the authentication sequence and how these differ from a working example.

Cheers,

Simon

[Benjamin Sproule]

Hi,

So I went to get the output from the UI using the context and it's working (use the spider, active scan the site, etc.). The problem is that when I try to use the docker image, it doesn't seem to even try and login.

I've tried running:
zap-baseline.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/security/myapp.context

And

zap-full-scan.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/security/myapp.context

They both basically print out a whole load of issues but all with:

https://myapp.netlify.app/ (401 Unauthorized)

https://myapp.netlify.app/en (401 Unauthorized)

https://myapp.netlify.app/en/ (401 Unauthorized)

https://myapp.netlify.app/robots.txt (401 Unauthorized)

https://myapp.netlify.app/sitemap.xml (401 Unauthorized)

There are a lot more pages than that, but I'm assuming that because it can't get passed the Netlify global password form, it can't find anything.

Ben

[Simon Bennetts]

If only we had a video which walked you through setting up automation in a packaged docker scan :/

Oh wait, we've just published one :D https://www.youtube.com/watch?v=BOlalxfdLbU

[Benjamin Sproule]

I watched a video earlier (I think it's one of yours) and I've literally just realised my problem (you kind of made the same mistake in the video). I forgot to provide which user...

Should be using:
zap-baseline.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/security/myapp.context -U testuser

It's always the simple things...

Thanks for your help!

Ben

[Simon Bennetts]

Good to hear its working for you now!