Jenkins/ZAP Authentication through SSO/OAM
327 views
Skip to first unread message
TejB
Nov 2, 2017, 3:51:16 PM11/2/17
to OWASP ZAP User Group
I'm trying to setup ZAP automated scanning within the Jenkins build process. I'm using form-based authentication and have entered the username, password, and extra post data parameters. I can login via ZAP (the GUI) just fine, but when I try to do it during the build process, it fails. At this point, I'm just trying to Spider the application as an authenticated user.
ZAP v2.6.0
Jenkins 2.78
Java 1.8.144
Session Properties:
Include in Context:
Exclude from Context:
None
Authentication (Form Based):
Username: myuser
Password: mypass
Logged out Indicator .*\QCookie: ObSSOCookie=(loggedout|loggedoutcontinue)\E.*
Login Form Target URL: https://auth.mydom.tld/oam/server/auth_cred_submit
Username Parameter: username
Password Parameter: password
Extra POST Data: submit=Login
Attack Mode (Just trying to Spider for now):
Starting Point: https://www.mydom.tld/app1dir
Spider Scan (checked)
Recurse (checked)
Thanks in advance
flocker
Nov 3, 2017, 4:26:30 AM11/3/17
to OWASP ZAP User Group
Hi,
Every time I have issues with the authentication process, my first look is at the logged in/out indicators. Your logged out indicator seems malformed. the \Q...\E are the symbols for Quoted Literals : everything between those symbols is taken literally, so the parenthesis and the pipe "|" are taken literally -- not as the "GROUP" and the "OR" symbol as you expected.
As there is no special character to escape, you can delete the \Q...\E symbols, as well as the .* which are unnecessary (@developers : correct me if I'm wrong)
For your case, I'd try either Cookie: ObSSOCookie=(loggedout|loggedoutcontinue) , or \QCookie: ObSSOCookie=\E(\Qloggedout\E|\Qloggedoutcontinue\E) if you really want to use the \Q...\E symbols.
Hope this helps,
F.
Every time I have issues with the authentication process, my first look is at the logged in/out indicators. Your logged out indicator seems malformed. the \Q...\E are the symbols for Quoted Literals : everything between those symbols is taken literally, so the parenthesis and the pipe "|" are taken literally -- not as the "GROUP" and the "OR" symbol as you expected.
As there is no special character to escape, you can delete the \Q...\E symbols, as well as the .* which are unnecessary (@developers : correct me if I'm wrong)
For your case, I'd try either Cookie: ObSSOCookie=(loggedout|loggedoutcontinue) , or \QCookie: ObSSOCookie=\E(\Qloggedout\E|\Qloggedoutcontinue\E) if you really want to use the \Q...\E symbols.
Hope this helps,
F.
TejB
Nov 3, 2017, 8:35:01 AM11/3/17
to OWASP ZAP User Group
@flocker, thanks for the response.
I removed the Cookie: and tried just ObSSOCookie=(loggedout|loggedoutcontinue) due to the fact that sometimes the response is Set-Cookie and sometimes the cookie is already in the header but set to one of those values. Either way, I also removed the \Q...\E per your recommendation, but I'm getting the same responses. It's not authenticating and not Spidering.
Any other ideas? I've been banging my head on this one for a while.
thc...@gmail.com
Nov 3, 2017, 9:27:48 AM11/3/17
to zaprox...@googlegroups.com
Do the same authentication settings work correctly when using just ZAP?
Best regards.
On 03/11/17 12:35, TejB wrote:
> *@flocker*, thanks for the response.
Best regards.
On 03/11/17 12:35, TejB wrote:
> *@flocker*, thanks for the response.
> I removed the Cookie: and tried just
> *ObSSOCookie=(loggedout|loggedoutcontinue)* due to the fact that sometimes
TejB
Nov 3, 2017, 9:56:50 AM11/3/17
to OWASP ZAP User Group
Yes, I've confirmed it works via the ZAP UI.
Thanks
TejB
Nov 3, 2017, 3:54:04 PM11/3/17
to OWASP ZAP User Group
More information...
5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "POST /oam/server/auth_cred_submit HTTP/1.1[\r][\n]" 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG org.apache.commons.httpclient.HttpMethodBase - Adding Host request header 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0[\r][\n]" 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Pragma: no-cache[\r][\n]" 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Cache-Control: no-cache[\r][\n]" 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" 5585 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Content-Length: 68[\r][\n]" 5586 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Referer: https://auth.mydom.tld/oam/server/auth_cred_submit[\r][\n]" 5586 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Host: auth.mydom.tld[\r][\n]" 5586 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "Cookie: ...(snip)... 5586 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.header - >> "[\r][\n]" 5587 [ZAP-SpiderThreadPool-0-thread-2] DEBUG httpclient.wire.content - >> "username=ZAP&password=ZAP&request_id=215320061545358580&submit=Login" 5587 [ZAP-SpiderThreadPool-0-thread-2] DEBUG org.apache.commons.httpclient.methods.EntityEnclosingMethod - Request body sent
Additionally, I highlighted the fact that the username is set to ZAP and the password is set to ZAP (this was unchanged from the log file) though they are not the actual username/password I set in the Jenkins parameter fields. I'm not sure why during the second redirect they are replace with just ZAP/ZAP.
Thanks
Reply all
Reply to author
Forward
0 new messages