Set Authentication successfully through API but login request post data null
165 views
Skip to first unread message
Piyush Suthar
May 22, 2020, 8:30:28 AM5/22/20
to OWASP ZAP User Group
Hi,
I have successfully set the Authentication through API. but, login request post data displayed blank. I am using http://demo.testfire.net/index.jsp demo site.
Set Authentication using below data:
authMethodName* = formBasedAuthentication
authMethodConfigParams =loginUrl=http://demo.testfire.net/login.jsp&loginRequestData=uid={%username%}&passw=admin&btnSubmit=Login
Verify in context. It is displayed as null for login request post data.
kingthorin+owaspzap
May 22, 2020, 8:51:37 PM5/22/20
to OWASP ZAP User Group
Y9u need to set a logged-in/out indicator or both, otherwise ZAP can't know what state the session is in.
Piyush Suthar
May 25, 2020, 6:26:22 AM5/25/20
to OWASP ZAP User Group
Still, no luck !
My authMethodConfigParams:
There might be something i missed to set login request post data, username parameter and password parameter.
Also, I set logged out indicator but no luck.
There is also similar question, https://groups.google.com/forum/#!searchin/zaproxy-users/authMethodConfigParams|sort:date/zaproxy-users/35Oeg6U1v1s/45v8n0N4AQAJ
kingthorin+owaspzap
May 25, 2020, 12:24:15 PM5/25/20
to OWASP ZAP User Group
You don't have things setup properly.
I'm fairly certain the target of the login form is not the page that's displaying the login form. You need to know how your target actually works.
Here's a simple way to get this all sorted.
0) Launch ZAP.
1) Launch a browser from within ZAP.
2) Visit demo.testfire.net.
3) From the sites tree, right click demo.testfire.net and "Include in Context" (either default or new) [Accept the defaults, click okay, etc.]
3) Back in the browser Login.
4) From the History table right click the only POST you should see (doLogin) "Flag as Context" > "<context name> Form-based Auth Login Request" [You know it's this one for two reasons: 1) It's the only POST so far, 2) If you "View Source" on the login page you can see it's the 'action' for the login form.]
5) The defaults that are set should be almost perfect, just tweak the password field from "uid" to "passw". [Click okay,etc.]
6) Select the next history entry, it should be something like http://demo.testfire.net/bank/main.jsp go to the response tab and identify a string that only exists for logged in users, such as: href="/logout.jsp"
7) Highlight that string right click, and select "Fag as Context" > "<context name> Authentication Logged-in Indicator". (In the Context's "Users" panel ensure jsmith is enabled.)
8) Go back to your browser and log out (Sign Off).
9) Try to access a URL "inside" the authenticated area, such as http://demo.testfire.net/bank/main.jsp note you get redirected back to the login page.
10) Go back to ZAP and enable forced user mode (the lock/user icon in the main toolbar).
11) Now paste that URL again for "inside" the authenticated area (http://demo.testfire.net/bank/main.jsp), note ZAP has logged you in and you do successfully access authenticated content.
12) Now that you've got it setup and tested and are sure everything is working disable Forced User mode and carry on.
Piyush Suthar
May 26, 2020, 2:47:30 AM5/26/20
to OWASP ZAP User Group
That's is the very straight forward through manually . I know that and i have done a job on 5 to 6 site successfully by manually. But, my question is for API through set the login request post data that was displaying null after set ZAP API "setAuthenticationMethod".
SetAuthenticationMethod using below data:
authMethodName* = formBasedAuthentication
authMethodConfigParams =loginUrl=http://demo.testfire.net/login.jsp&loginRequestData=uid={%username%}&passw=admin&btnSubmit=Login
Hope that this is the enough information to understand. Thanks in advance for assist !
Thanks,
thc...@gmail.com
May 26, 2020, 4:03:22 AM5/26/20
to zaprox...@googlegroups.com
Hi.
This is an encoding problem, the value of loginRequestData needs to be
encoded otherwise the uid, passw, and btnSubmit will be handled as
additional parameters instead of the value of loginRequestData, e.g.:
loginRequestData%3Duid%253D%257B%2525username%2525%257D%2526passw%253Dadmin%2526btnSubmit%253DLogin
Best regards.
This is an encoding problem, the value of loginRequestData needs to be
encoded otherwise the uid, passw, and btnSubmit will be handled as
additional parameters instead of the value of loginRequestData, e.g.:
loginRequestData%3Duid%253D%257B%2525username%2525%257D%2526passw%253Dadmin%2526btnSubmit%253DLogin
Best regards.
>> 6) Select the next history entry, it should be something like
>> http://demo.testfire.net/bank/main.jsp go to the response tab and
>> identify a string that only exists for logged in users, such as:
>> href="/logout.jsp"
>> 7) Highlight that string right click, and select "Fag as Context" >
>> "<context name> Authentication Logged-in Indicator". (In the Context's
>> "Users" panel ensure jsmith is enabled.)
>> http://demo.testfire.net/bank/main.jsp go to the response tab and
>> identify a string that only exists for logged in users, such as:
>> href="/logout.jsp"
>> 7) Highlight that string right click, and select "Fag as Context" >
>> "<context name> Authentication Logged-in Indicator". (In the Context's
>> "Users" panel ensure jsmith is enabled.)
kingthorin+owaspzap
May 26, 2020, 12:01:57 PM5/26/20
to OWASP ZAP User Group
If you get it setup manually locally just export the context and import it when using the API. Why setup code to programmatically create it every time when you can just keep the file and import it?
Reply all
Reply to author
Forward
0 new messages