Microsoft Login Authentication

[Gannicus 999]

Hello Everyone,

First of all, I want to say that im a beginner in ZAP and also at the cyber-security field. I've been using zap for a couple of months and i'm getting pretty good result with it. But today i wanted to scan a website that uses Microsoft Login Authentication as their way of authentication. First I tried the regular authentication methods and quickly realized that this one is more complicated than that. After a little bit of research, I discovered the Zest Scripting authentication and decided to give it a shot. Unfortunately, it also failed for me.

So here is a little bit of a summary about how the website works.

1. I go to the websites url : https://www.mywebsite.com

2. It redirects me to this website: https://login.microsoftonline.com/common/oauth2/authorize

3. I Enter my username which is an e-mail address and click next.

4. Browser makes a POST request including the username I entered to this url: https://login.microsoftonline.com/common/GetCredentialType

5. Another page pops out, I enter my password and hit submit button.

6. Browser makes another POST request with my username and my password to this url : https://login.microsoftonline.com/common/login

7. Browser makes another POST requests to this url for a reason that I didn't really understand :) https://login.microsoftonline.com/kmsi

8. One last POST Request is made to my website to a url like this: https://www.mywebsite.com/auth

9. Finally with a GET request Website presents itself to me with my profile page.              

I tried to Record these actions to a script with ZEST. During my recording, I can successfully login to the website (using ZAP's Firefox Browser). However, after I stop recording and click to Run button on the scripting tab, the script is not running successfully.

After Examining the requests and responses for a while, I noticed this warning in one of the responses.

Invalid Request: The request tokens do not match the user context. One or more of the user context values (cookies; form fields; headers) were incorrect or invalid, these values should not be copied between requests or user sessions; always maintain the ALL of the supplied values across a complete single-user flow. Failure Reasons:[Token is invalid;]

I get this warning during step 6 above, after making a post request to the https://login.microsoftonline.com/common/login with my credentials, the response to this request contains the warning above. 

The POST requests made during the authentication, are containing such parameters as flowToken, canary, ctx. Which I don't really have much of an opinion about what any of those parameters are, or what are they used for. But after reading the warning above, I'm assuming that this website or Microsoft itself, creating a different token or something else for each time I try to log in, ZEST is using the token from my initial recording, which obviously doesn't match with the new one, hence the authentication is failing. Of course, I might be completely wrong about this assumption since I consider myself just a newbie :)  

So if anyone has actually read this post all the way down here, firstly, I want to say that I'm really appreciated for your attention. And secondly, I would be even more appreciated if you can give me a suggestion about how to handle this situation. 

Thanks in Advance

 

[Gannicus 999]

Any news here? I've been trying for the last 3 days to find a solution but I still couldn't find one. Any help would be really appriciated.

9 Nisan 2021 Cuma tarihinde saat 00:33:02 UTC+3 itibarıyla Gannicus 999 şunları yazdı: