ZAP Tool Manual Authentication and Logout Issue/Question
2,726 views
Skip to first unread message
ryerson...@gmail.com
Sep 28, 2015, 4:39:34 PM9/28/15
to OWASP ZAP User Group
I can do manual session log in or form based authentication according to the tutorials i read. I am wondering how to exclude the logout though, i do not want it to logout and login every time.
From the tutorials it says to exclude the logout page but my logout page is the same as my login page.
login
https://foo.com/bar/index.cfm
POST:index.cfm(usr_name,usr_pwd)
logout is
GET:index.cfm(usr_logout)
I have a unique token for the logout, so https://foo.com/bar/index.cfm?logout=abcUNIQUETOKENdef
So i tried to set my regex to exclude from context:
\Qhttps://foo.com/bar/index.cfm?logout=\E.*
because i do not want it to exclude index.cfm, just the logout get request to index.cfm. Actually, ideally i want it to exclude any logout get request on any page.
Is this doable in ZAP?
P.S. I have no control over changing the logout to a post.
Cheers everyone :)
From the tutorials it says to exclude the logout page but my logout page is the same as my login page.
login
https://foo.com/bar/index.cfm
POST:index.cfm(usr_name,usr_pwd)
logout is
GET:index.cfm(usr_logout)
I have a unique token for the logout, so https://foo.com/bar/index.cfm?logout=abcUNIQUETOKENdef
So i tried to set my regex to exclude from context:
\Qhttps://foo.com/bar/index.cfm?logout=\E.*
because i do not want it to exclude index.cfm, just the logout get request to index.cfm. Actually, ideally i want it to exclude any logout get request on any page.
Is this doable in ZAP?
P.S. I have no control over changing the logout to a post.
Cheers everyone :)
ryerson...@gmail.com
Sep 28, 2015, 5:18:12 PM9/28/15
to OWASP ZAP User Group
just to add a few more details, i set my logged in indicator as .*[?&]\Qlogout=\E.*
When i look at the pages that i spider through as a user, i can see the content as if i was logged in but i also see over a dozen authentication attempts to log me back in, it also mapped the logout call on each page.
When i look at spider tab, i see that it did a GET post with ?logout=uniquetoken, so i can only assume that it logged me out again and then logged me back in. My question would be, is there any way to prevent the logout from even occurring? Thank you! Cheers.
When i look at the pages that i spider through as a user, i can see the content as if i was logged in but i also see over a dozen authentication attempts to log me back in, it also mapped the logout call on each page.
When i look at spider tab, i see that it did a GET post with ?logout=uniquetoken, so i can only assume that it logged me out again and then logged me back in. My question would be, is there any way to prevent the logout from even occurring? Thank you! Cheers.
Simon Bennetts
Sep 29, 2015, 5:39:14 AM9/29/15
to OWASP ZAP User Group
Exclude the login/logout page from the Spider and the Scanner, instead of excluding it from the context.
You can do that via the "Exclude from ->" right click menu on the Sites tree and History list.
If that doesnt work then let us know.
If you've specified a logout page for the context then we should probably automatically exclude that from the spider and scanner :/
Could you raise an enhancement request for this? https://github.com/zaproxy/zaproxy/issues/new
Cheers,
Simon
You can do that via the "Exclude from ->" right click menu on the Sites tree and History list.
If that doesnt work then let us know.
If you've specified a logout page for the context then we should probably automatically exclude that from the spider and scanner :/
Could you raise an enhancement request for this? https://github.com/zaproxy/zaproxy/issues/new
Cheers,
Simon
ryerson...@gmail.com
Sep 29, 2015, 11:40:41 AM9/29/15
to OWASP ZAP User Group
These are my current steps.
1) Open ZAP on port 8081 and setup firefox to run as proxy on same port.
2) Go to https://foo.com/bar/index.cfm
3) Log into site, wait for it to load and logout.
4) Go to Zap, Click on the bar website and create a new context called 'bar app'
5) Right click on POST:index.cfm(usr_name,usr_pwd) and flag it as the form based auth for the 'bar app' context
6) Add my regex of .*[?&]\Qlogout=\E.* as the logged in token because my page would show a logout button with an href that has a get ?logout=unique_token.
7) Add myself as a user
8) Right click on GET:index.cfm and exclude it from the spider and scanner
10) Right click on the 'bar' and run spider scan as the user.
Results:
History log shows a dozen authentication attempts instead of just one, spider shows multiple get logouts were performed. I have a similar issue with the AJAX spider which keeps hitting the logout button and won't exclude it from it's test.
Comments:
Not every website uses post and has a separate logout page, session's are maintained via cookies and everything can be handled on the same page with a get request to itself as long as the flag logout=1 is sent.
I will create an enhancement request, but just to clarify, is there no way for me to have ZAP exclude the logout button so that it doesn't trigger it? Cheers and thank you!
1) Open ZAP on port 8081 and setup firefox to run as proxy on same port.
2) Go to https://foo.com/bar/index.cfm
3) Log into site, wait for it to load and logout.
4) Go to Zap, Click on the bar website and create a new context called 'bar app'
5) Right click on POST:index.cfm(usr_name,usr_pwd) and flag it as the form based auth for the 'bar app' context
6) Add my regex of .*[?&]\Qlogout=\E.* as the logged in token because my page would show a logout button with an href that has a get ?logout=unique_token.
7) Add myself as a user
8) Right click on GET:index.cfm and exclude it from the spider and scanner
- Result: \Qhttps://foo.com/bar/index.cfm\E
- Result: \Qhttps://foo.com/bar/index.cfm\E
10) Right click on the 'bar' and run spider scan as the user.
Results:
History log shows a dozen authentication attempts instead of just one, spider shows multiple get logouts were performed. I have a similar issue with the AJAX spider which keeps hitting the logout button and won't exclude it from it's test.
Comments:
Not every website uses post and has a separate logout page, session's are maintained via cookies and everything can be handled on the same page with a get request to itself as long as the flag logout=1 is sent.
I will create an enhancement request, but just to clarify, is there no way for me to have ZAP exclude the logout button so that it doesn't trigger it? Cheers and thank you!
thc...@gmail.com
Sep 29, 2015, 12:32:24 PM9/29/15
to zaprox...@googlegroups.com
Hi.
Regarding step 9, though ZAP should be setting the expected/selected
URL, you can still change it to match the URL that you want.
Does it work (i.e. both spiders and scanner do not access the excluded
URL) if you change it manually?
Best regards.
On 29/09/15 16:40, ryerson...@gmail.com wrote:
> These are my current steps.
>
> 1) Open ZAP on port 8081 and setup firefox to run as proxy on same port.
> 2) Go to https://foo.com/bar/index.cfm
> 3) Log into site, wait for it to load and logout.
> 4) Go to Zap, Click on the bar website and create a new context called
> 'bar app'
> 5) Right click on POST:index.cfm(usr_name,usr_pwd) and flag it as the
> form based auth for the 'bar app' context
> 6) Add my regex of .*[?&]\Qlogout=\E.* as the logged in token because my
> page would show a logout button with an href that has a get
> ?logout=unique_token.
> 7) Add myself as a user
> 8) Right click on GET:index.cfm and exclude it from the spider and scanner
>
> * Result: \Qhttps://foo.com/bar/index.cfm\E
> same thing
>
> * Result: \Qhttps://foo.com/bar/index.cfm\E
> <http://foo.com/bar/index.cfm?logout=%5CE.*>
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Regarding step 9, though ZAP should be setting the expected/selected
URL, you can still change it to match the URL that you want.
Does it work (i.e. both spiders and scanner do not access the excluded
URL) if you change it manually?
Best regards.
On 29/09/15 16:40, ryerson...@gmail.com wrote:
> These are my current steps.
>
> 1) Open ZAP on port 8081 and setup firefox to run as proxy on same port.
> 2) Go to https://foo.com/bar/index.cfm
> 3) Log into site, wait for it to load and logout.
> 4) Go to Zap, Click on the bar website and create a new context called
> 'bar app'
> 5) Right click on POST:index.cfm(usr_name,usr_pwd) and flag it as the
> form based auth for the 'bar app' context
> 6) Add my regex of .*[?&]\Qlogout=\E.* as the logged in token because my
> page would show a logout button with an href that has a get
> ?logout=unique_token.
> 7) Add myself as a user
> 8) Right click on GET:index.cfm and exclude it from the spider and scanner
>
>
> 9) Right click on GET:index.cfm(logout) and exclude it from the spider
> and scanner, this here is an *issue* because it tries to exclude the
> 9) Right click on GET:index.cfm(logout) and exclude it from the spider
> same thing
>
> * Result: \Qhttps://foo.com/bar/index.cfm\E
>
> 8) and 9) excluded the same thing.
>
> 10) Right click on the 'bar' and run spider scan as the user.
>
> Results:
>
> History log shows a dozen authentication attempts instead of just**one,
> 8) and 9) excluded the same thing.
>
> 10) Right click on the 'bar' and run spider scan as the user.
>
> Results:
>
>
> because i do not want it to exclude index.cfm, just the
> logout get request to index.cfm. Actually, ideally i want it
> to exclude any logout get request on any page.
>
> Is this doable in ZAP?
>
> P.S. I have no control over changing the logout to a post.
>
> Cheers everyone :)
>
> --
> because i do not want it to exclude index.cfm, just the
> logout get request to index.cfm. Actually, ideally i want it
> to exclude any logout get request on any page.
>
> Is this doable in ZAP?
>
> P.S. I have no control over changing the logout to a post.
>
> Cheers everyone :)
>
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
ryerson...@gmail.com
Sep 29, 2015, 2:40:02 PM9/29/15
to OWASP ZAP User Group
Hello, thank you for the advice!
I changed it to:
https:\/\/foo\.com\/bar.*[?&]logout=.*
It is interesting that i had to use escape characters because \Q \E to make the string a literal didn't work.
The spider scan now shows that https://foo.com/bar/?logout=unique_token was rejected 3 based on USER_RULES. However, the history still shows that it authenticated 8 times instead of just once. To add onto this, maybe i misunderstood what the Active and Passive scan do but I have a form on the index.cfm page. Would those two scans populate the fields and evaluate until the end of the form or is that only the Ajax spider scan? Because the post response from the spider on the first post is that it didn't fill out the phone number on the form which is required before it can proceed to the next page of the form.
I changed it to:
https:\/\/foo\.com\/bar.*[?&]logout=.*
It is interesting that i had to use escape characters because \Q \E to make the string a literal didn't work.
The spider scan now shows that https://foo.com/bar/?logout=unique_token was rejected 3 based on USER_RULES. However, the history still shows that it authenticated 8 times instead of just once. To add onto this, maybe i misunderstood what the Active and Passive scan do but I have a form on the index.cfm page. Would those two scans populate the fields and evaluate until the end of the form or is that only the Ajax spider scan? Because the post response from the spider on the first post is that it didn't fill out the phone number on the form which is required before it can proceed to the next page of the form.
ryerson...@gmail.com
Sep 29, 2015, 2:40:47 PM9/29/15
to OWASP ZAP User Group
Active and Spider Scan, not Active and Passive
kingthorin+owaspzap
Sep 29, 2015, 2:47:26 PM9/29/15
to OWASP ZAP User Group
This thread is getting quite confusing.
Can you provide a full validly formatted logout URI example.
Initially we had: usr_logout
Then we had: logout=token
Now we have: logout=1
Also if this is a single page app then you may need to define structural parameters.
Can you provide a full validly formatted logout URI example.
Initially we had: usr_logout
Then we had: logout=token
Now we have: logout=1
Also if this is a single page app then you may need to define structural parameters.
kingthorin+owaspzap
Sep 29, 2015, 2:52:41 PM9/29/15
to OWASP ZAP User Group
The passive scanner only analyzes content that passes through ZAP, it doesn't make any requests on its own.
The active scanner may submit the form with various configurations of parameters/cookies/data 10s to 1000s of times depending what active scanners you have enabled and their threshold/strength settings.
If you have a multi-page sequence that needs to be completed in order for a particular bit of functionality to work correctly then you should look into the Sequence extension which can record a series of requests/responses and follow them while testing.
The active scanner may submit the form with various configurations of parameters/cookies/data 10s to 1000s of times depending what active scanners you have enabled and their threshold/strength settings.
If you have a multi-page sequence that needs to be completed in order for a particular bit of functionality to work correctly then you should look into the Sequence extension which can record a series of requests/responses and follow them while testing.
ryerson...@gmail.com
Sep 30, 2015, 11:02:23 AM9/30/15
to OWASP ZAP User Group
I am very sorry for the confusion; please ignore usr_logout, it is just GET:index.cfm(logout), this is what i see in the sites tree.
In the html code, my logout button is: <a href="/bar/?logout=unique_token">Logout</a>
You can also send ?logout=1 as a get parameter from any page and it will sign you out.
Because of this, my regex for the logged in token is .*[?&]\Qlogout=\E.*
and the exclusion url for spider and scanner are: https:\/\/foo\.com\/bar.*[?&]logout=.*
The log showing that: https://foo.com/bar/?logout=unique_token was rejected by user rules 3 times.
Again, very sorry for the confusion, please let me know if that helped to clarify? yes, this is a single page app with a form that posts back to itself and changes the content displayed. I will look into the structural parameters. Thank you!
In the html code, my logout button is: <a href="/bar/?logout=unique_token">Logout</a>
You can also send ?logout=1 as a get parameter from any page and it will sign you out.
Because of this, my regex for the logged in token is .*[?&]\Qlogout=\E.*
and the exclusion url for spider and scanner are: https:\/\/foo\.com\/bar.*[?&]logout=.*
The log showing that: https://foo.com/bar/?logout=unique_token was rejected by user rules 3 times.
Again, very sorry for the confusion, please let me know if that helped to clarify? yes, this is a single page app with a form that posts back to itself and changes the content displayed. I will look into the structural parameters. Thank you!
ryerson...@gmail.com
Sep 30, 2015, 11:04:58 AM9/30/15
to OWASP ZAP User Group
I wish i could edit a previous post :( Would you happen to have a link to a tutorial on structural parameters by any chance? Cheers
ryerson...@gmail.com
Oct 1, 2015, 11:17:20 AM10/1/15
to OWASP ZAP User Group
Just to add on to the previous point, i should have mentioned this before but the authentication method is standard LDAP, which at this point i believe i have working. My next one down the list is authentication through CAS which is a harder nut to crack.
kingthorin+owaspzap
Oct 1, 2015, 2:13:47 PM10/1/15
to OWASP ZAP User Group
Is this what you mean for your next evolution?
https://en.wikipedia.org/wiki/Central_Authentication_Service
https://en.wikipedia.org/wiki/Central_Authentication_Service
ryerson...@gmail.com
Oct 1, 2015, 4:56:44 PM10/1/15
to OWASP ZAP User Group
Yup, already implemented. Just need to figure out how to get authentication done in ZAP. Haven't had a chance to look at it yet but will update this post once i find a method or if I have any issues that need reporting.
Manjunath Rajiv
Feb 24, 2017, 2:58:47 AM2/24/17
to OWASP ZAP User Group
Hi
https://groups.google.com/forum/#!topic/zaproxy-users/KVEJ_JSzTgM, i want
small help from your side. Please help me in finding the defect after
form-based authentication spider result in ZAP
How to verify the true positive or false positive of ZAP form-based
authentication results after despairing the URL to find the defect
How to find defect in that scanned result
Manjunath Rajiv
Feb 24, 2017, 2:59:08 AM2/24/17
to OWASP ZAP User Group
Hi
https://groups.google.com/forum/#!topic/zaproxy-users/KVEJ_JSzTgM, i want
small help from your side. Please help me in finding the defect after
form-based authentication spider result in ZAP
How to verify the true positive or false positive of ZAP form-based
authentication results after despairing the URL to find the defect
How to find defect in that scanned result
Manjunath Rajiv
Feb 24, 2017, 3:01:00 AM2/24/17
to OWASP ZAP User Group
Hi
https://groups.google.com/forum/#!topic/zaproxy-users/KVEJ_JSzTgM, i want
small help from your side. Please help me in finding the defect after
form-based authentication spider result in ZAP
How to verify the true positive or false positive of ZAP form-based
authentication results after despairing the URL to find the defect
How to find defect in that scanned result
Simon Bennetts
Feb 24, 2017, 4:19:55 AM2/24/17
to OWASP ZAP User Group
Sorry, I'm not quite sure what you are asking :/
If you want to know whether your form based authentication is working then have a look at the Auth Stats add-on: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAuthstatsAuthStats
Cheers,
Simon
If you want to know whether your form based authentication is working then have a look at the Auth Stats add-on: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAuthstatsAuthStats
Cheers,
Simon
Manjunath Rajiv
Feb 24, 2017, 6:29:54 AM2/24/17
to OWASP ZAP User Group
Hello Simon,
In "form based authentication" how to verify whether the finding is True positive or False positive after scanning and spidering.
Thank you in advance.
Manjunath Rajiv
Feb 24, 2017, 6:36:01 AM2/24/17
to OWASP ZAP User Group
Based on what parameter we can say, whether the web application is vulnerable to Broken authentication and Session management in form-based authentication result which we will get after spider using ZAP tool.
On Friday, February 24, 2017 at 2:49:55 PM UTC+5:30, Simon Bennetts wrote:
Paulo Chavez
May 9, 2017, 1:50:55 PM5/9/17
to OWASP ZAP User Group
Hey,
I am trying to setup the authentication method in ZAP vs WebGoat. I get to the point where I login succesfully, set hte Session active and run the Ajax Spider. It starts running fine and clocking through all clickable links and it logs itself out.
I have excluded the logouts instances from scanner and spider, but it still logs itself out without finishing the automatic scan.
I think it's something to do with the authentication method setup.
I am trying to setup the authentication method in ZAP vs WebGoat. I get to the point where I login succesfully, set hte Session active and run the Ajax Spider. It starts running fine and clocking through all clickable links and it logs itself out.
I have excluded the logouts instances from scanner and spider, but it still logs itself out without finishing the automatic scan.
I think it's something to do with the authentication method setup.
Were you able to figure it out?
On Tuesday, September 29, 2015 at 2:40:02 PM UTC-4, ryerson...@gmail.com wrote:
Reply all
Reply to author
Forward
0 new messages