Unable to run an authenticated full-scan
476 views
Skip to first unread message
donni
May 11, 2022, 9:13:18 AM5/11/22
to OWASP ZAP User Group
Hello everyone,
I'm a newbie on zap and I would like to create a CI/CD pipeline and I want to use it with a docker container.
To try it I'm using the image of GoatWeb and my local image of zap: I have a M1 Mac and in order to run zap in docker I had to re-build the image from the Dockerfile on github (from: https://groups.google.com/g/zaproxy-users/c/meg0Lkvl03s ). I want to run zap-full-scan.py against the goatweb target.
I'm having problems with the authenticated scan, I'll write the steps I took and then attach the context file in txt extension.
1) Open ZAP GUI, create the context file and export it (as webgoat.context) on my current directory
context to include: http://goatandwolf:8080/.*
create the user for the context
authentication: form-based
Login Form Target url: http://goatandwolf:8080/WebGoat/login
URL to get Login Page: http://goatandwolf:8080/WebGoat/login
2) Run goatweb container
docker run --rm --name goatandwolf -p 8090:8080 -p 9090:9090 -d --net zapnet --hostname goatandwolf webgoat/goatandwolf
2b) Access GoatWeb and create a newuser with the same credentials stored on the context
3) Run zap container
docker run --rm -dt --name zap --net zapnet -v $(pwd):/zap/wrk/:rw localzap /bin/bash
In this way the zap container can see the context file
4) Access the zap container
docker exec -it zap /bin/bash
4a) check if zap can see GoatWeb
curl http://goatandwolf:8080/WebGoat/login
4b) start full-scan
./zap-full-scan.py -t http://goatandwolf:8080/WebGoat/login -d -r report.html -n wrk/webgoat.context -U <username>
The full scan does not return error, it produces the report but it's the same exact report of the un-authenticated scan.
Instead I was expecting it to discover more urls.
I have read the log and it did not seem to me to contain any WARNs.
Maybe it's worth to notice that even with zap gui I cannot succeed to start an authenticated scan. I had a curious situation for which it does not matter which user I chose or if the "Force User" was enabled or not, but in the payload for the login I had "username=zap&password=zap".
Can I ask you what I'm missing or what I'm doing wrong?
Thanks in advance
I'm a newbie on zap and I would like to create a CI/CD pipeline and I want to use it with a docker container.
To try it I'm using the image of GoatWeb and my local image of zap: I have a M1 Mac and in order to run zap in docker I had to re-build the image from the Dockerfile on github (from: https://groups.google.com/g/zaproxy-users/c/meg0Lkvl03s ). I want to run zap-full-scan.py against the goatweb target.
I'm having problems with the authenticated scan, I'll write the steps I took and then attach the context file in txt extension.
1) Open ZAP GUI, create the context file and export it (as webgoat.context) on my current directory
context to include: http://goatandwolf:8080/.*
create the user for the context
authentication: form-based
Login Form Target url: http://goatandwolf:8080/WebGoat/login
URL to get Login Page: http://goatandwolf:8080/WebGoat/login
2) Run goatweb container
docker run --rm --name goatandwolf -p 8090:8080 -p 9090:9090 -d --net zapnet --hostname goatandwolf webgoat/goatandwolf
2b) Access GoatWeb and create a newuser with the same credentials stored on the context
3) Run zap container
docker run --rm -dt --name zap --net zapnet -v $(pwd):/zap/wrk/:rw localzap /bin/bash
In this way the zap container can see the context file
4) Access the zap container
docker exec -it zap /bin/bash
4a) check if zap can see GoatWeb
curl http://goatandwolf:8080/WebGoat/login
4b) start full-scan
./zap-full-scan.py -t http://goatandwolf:8080/WebGoat/login -d -r report.html -n wrk/webgoat.context -U <username>
The full scan does not return error, it produces the report but it's the same exact report of the un-authenticated scan.
Instead I was expecting it to discover more urls.
I have read the log and it did not seem to me to contain any WARNs.
Maybe it's worth to notice that even with zap gui I cannot succeed to start an authenticated scan. I had a curious situation for which it does not matter which user I chose or if the "Force User" was enabled or not, but in the payload for the login I had "username=zap&password=zap".
Can I ask you what I'm missing or what I'm doing wrong?
Thanks in advance
Saad S Awan
May 17, 2022, 1:37:14 AM5/17/22
to OWASP ZAP User Group
I am also want to scan my website with zap using authenticated mode using TFS CD pipeline. how I can do it,
normal un authenticated scanning is working fie.
normal un authenticated scanning is working fie.
Simon Bennetts
May 17, 2022, 4:21:21 AM5/17/22
to OWASP ZAP User Group
We also have a load of videos - searchfor a tag of "auth" on https://www.zaproxy.org/videos-list/
Cheers,
Simon
Tom Koshy
Jun 26, 2024, 10:07:48 AM (7 days ago) Jun 26
to ZAP User Group
Hello,
Were you able to find a solution for this issue? I am facing the same issue as well.
When I am running with desktop client with the context, the authenticated scanning works perfectly. But when I run it with Docker instance, the authenticated scanning doesn't work.
When I am running with desktop client with the context, the authenticated scanning works perfectly. But when I run it with Docker instance, the authenticated scanning doesn't work.
Cheers,
Tom
Simon Bennetts
Jul 1, 2024, 10:15:46 AM (yesterday) Jul 1
to ZAP User Group
Hi Tom,
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages