Authentication failed for user (AF)
116 views
Skip to first unread message
Johny White
Oct 1, 2022, 11:55:37 AM10/1/22
to OWASP ZAP User Group
Hi! I ran into a problem with authorized scanning via AF using .yaml
When I scan through ZAP Desktop UI using AF, it is working fine - the authorization is work. But when I import the .yaml for using in command: ./zap.sh -cmd -autorun zap.yaml - it is working without authentication. I see mistake in logs: User - Authentication failed for user: Administrator
My version of ZAP is 2.11.1 and running on Ubuntu.
My version of ZAP is 2.11.1 and running on Ubuntu.
Johny White
Oct 1, 2022, 12:01:03 PM10/1/22
to OWASP ZAP User Group
When I run AF through UI, the spider finds about 60 urls. When I run through .zap.sh AF using yaml it finds 5 urls (authorization fails)
суббота, 1 октября 2022 г. в 18:55:37 UTC+3, Johny White:
Johny White
Oct 1, 2022, 12:20:33 PM10/1/22
to OWASP ZAP User Group
I guess the problem is that when we run AF through the UI, then we turn on the context there. And when we run through the console, then there is no longer a context, only a yaml file
суббота, 1 октября 2022 г. в 19:01:03 UTC+3, Johny White:
Johny White
Oct 2, 2022, 3:29:45 AM10/2/22
to OWASP ZAP User Group
It turned out that I was still using version 2.10, so this error occurred.
But authentication still fails in 2.11.1 and I will create a separate question for this problem
But authentication still fails in 2.11.1 and I will create a separate question for this problem
суббота, 1 октября 2022 г. в 19:20:33 UTC+3, Johny White:
Simon Bennetts
Oct 3, 2022, 3:43:26 AM10/3/22
to OWASP ZAP User Group
Hiya,
What you are trying should work, but there are always things that can go wrong.
I would recommend that you try to create a automation plan with the minimum number of jobs required to reproduce the problem - in this case probably just the context and a request.
If that still works on the desktop but fails from the command line then see https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues
Cheers,
Simon
Johny White
Oct 5, 2022, 1:47:09 PM10/5/22
to OWASP ZAP User Group
Hi Simon!
I tried like you said and the context+requestor works in both cli and ui. But when I add the spider, it works only in Desktop(found around 20 urls in Desktop; in CLI found only 4 urls. By the way the requestor still working in this situation). In other words, spider can't make authentication.
I decided to do an experiment. First, I launched AF via desktop - successfully, the spider found 20 urls. Next, I imported this yaml and ran it through the cli - there were only 4 urls. Now I decided to turn off the zap desktop and turn it on again and run it using the same yaml that I imported earlier - there were also 4 urls.
I looked at the logs, but there are no errors in both, except for one: ERROR JobUtils - Automation Framework failed to find method setUser on org.zaproxy.zap.spider.SpiderParam. This error is present in both scans (desktop and cli). Don't know what's the problem
But I noticed a difference in the logs: when the spider successfully authorizes, the following logs appear after ending spider:
[HSQLDB Timer @14505ee0] INFO ENGINE - Checkpoint start
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose start
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose synched
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose script done
[HSQLDB Timer @14505ee0] INFO ENGINE - dataFileCache commit start
I tried like you said and the context+requestor works in both cli and ui. But when I add the spider, it works only in Desktop(found around 20 urls in Desktop; in CLI found only 4 urls. By the way the requestor still working in this situation). In other words, spider can't make authentication.
I decided to do an experiment. First, I launched AF via desktop - successfully, the spider found 20 urls. Next, I imported this yaml and ran it through the cli - there were only 4 urls. Now I decided to turn off the zap desktop and turn it on again and run it using the same yaml that I imported earlier - there were also 4 urls.
I looked at the logs, but there are no errors in both, except for one: ERROR JobUtils - Automation Framework failed to find method setUser on org.zaproxy.zap.spider.SpiderParam. This error is present in both scans (desktop and cli). Don't know what's the problem
But I noticed a difference in the logs: when the spider successfully authorizes, the following logs appear after ending spider:
[HSQLDB Timer @14505ee0] INFO ENGINE - Checkpoint start
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose start
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose synched
[HSQLDB Timer @14505ee0] INFO ENGINE - checkpointClose script done
[HSQLDB Timer @14505ee0] INFO ENGINE - dataFileCache commit start
понедельник, 3 октября 2022 г. в 10:43:26 UTC+3, psi...@gmail.com:
Simon Bennetts
Oct 6, 2022, 3:30:42 AM10/6/22
to OWASP ZAP User Group
Hiya,
I dont think the "setUser" error is relevant - thats a reporting bug I should fix ;)
All I can suggest is following the recommendations on https://www.zaproxy.org/docs/docker/diagnosing-problems/#investigating-non-trivial-issues
Ie run the job from the cli with the LogMessages.js script enabled and start wading through the requests and responses to see if you can work out what the difference is.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages