Session script not resolving

[Bernie Jordaan]

Hi,

We are using Zap 2.16.1 with the automation framework in CI/CD pipelines on Azure DevOps as a vulnerability assessment tool. Recently our site got updated and login via username and password is now only available on API.

I am trying to use script-based authentication and session management, but for some reason when running the automation plan Zap is unable to resolve the session management script unless I provide it with a full path to the script which isn't ideal since the path on the CI/CD pipeline isn't a fixed path. The path for the session script, Auth script, openapi, graphql files are the same except for the filename. The other files can resolve without an issue.

If I run the automation plan locally through the Zap GUI it runs and the scripts are used without any errors albeit specifying the full path to the scripts.

Error screenshots:

If I cause the auth script name to be invalid I get an error message that it can’t read the script, but it converted the environment variable ${apiFilesDirectory} to a path.

Other things I tried was updating the folder name so that it does not have a space in the name, specifying the path in automation script with quotes “” and without. As a workaround I tried specifying only partial path but that did not work.

There might be a bug in the session script path resolving?

I have attached the auth, session scripts and automation plan.

Any assistance is appreciated

Regards

Bernie

 

[Bernie Jordaan]

Re-Adding the screenshots

Force invalid path auth script

Partial path for session script

Using partial path

DevOps\Pipelines\templates\tools\zap-scan-utilities

Directory listing from build server DevOps\Pipelines\templates\tools\zap-scan-utilities

[kingthorin+zap]

Did you load the scripts before you tried to use the scripts?

[Bernie Jordaan]

Hi,

Previously I haven't because when running the automation plan locally I didn't need to load them outside of the context setup. However I did try adding script add steps to the automation plan after context and alert steps. It made no difference. The automation plan still fails with the same error

Here is the script add step code

- type: script
  parameters:
    name: SessionHandler.js
    type: session
    action: add
    engine: "ECMAScript : Graal.js"
    source: "${apiFilesDirectory}\\SessionHandler.js"

Attached is the full automation plan with the update 

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/JQ8AMtJ2WeQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/53919adc-bf2f-498a-879d-721320f6b826n%40googlegroups.com.

[Simon Bennetts]

This looks like its a bug in ZAP.

We're investigating and will report back with our findings.

Thanks for reporting this problem,

Simon

[Simon Bennetts]

This should be fixed in the latest ZAP Weekly.

Can you try it out and see if it works for you?

Cheers,

Simon

[Bernie Jordaan]

Thanks Simon,

Just to clarify, is it the ZAP weekly build that got released yesterday or would it be the one for next week?

Regards

Bernie Jordaan

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/b4607174-5932-4bca-b62d-b0b620395f48n%40googlegroups.com.

[kingthorin+zap]

Yesterday's

[Bernie Jordaan]

Thanks everyone. I got the latest weekly release and it works

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/777c13dd-27eb-4ee8-9300-6a6448537c74n%40googlegroups.com.

[kingthorin+zap]

Thanks for letting us know :)