Hello Everyone,
First of all, I want to say that im a beginner in ZAP and also at the cyber-security field. I've been using zap for a couple of months and i'm getting pretty good result with it. But today i wanted to scan a website that uses Microsoft Login Authentication as their way of authentication. First I tried the regular authentication methods and quickly realized that this one is more complicated than that. After a little bit of research, I discovered the Zest Scripting authentication and decided to give it a shot. Unfortunately, it also failed for me.
So here is a little bit of a summary about how the website works.
3. I Enter my username which is an e-mail address and click next.
5. Another page pops out, I enter my password and hit submit button.
9. Finally with a GET request Website presents itself to me with my profile page.
I tried to Record these actions to a script with ZEST. During my recording, I can successfully login to the website (using ZAP's Firefox Browser). However, after I stop recording and click to Run button on the scripting tab, the script is not running successfully.
After Examining the requests and responses for a while, I noticed this warning in one of the responses.
Invalid Request: The request tokens do not match the user context. One or more of the user context values (cookies; form fields; headers) were incorrect or invalid, these values should not be copied between requests or user sessions; always maintain the ALL of the supplied values across a complete single-user flow. Failure Reasons:[Token is invalid;]
The POST requests made during the authentication, are containing such parameters as flowToken, canary, ctx. Which I don't really have much of an opinion about what any of those parameters are, or what are they used for. But after reading the warning above, I'm assuming that this website or Microsoft itself, creating a different token or something else for each time I try to log in, ZEST is using the token from my initial recording, which obviously doesn't match with the new one, hence the authentication is failing. Of course, I might be completely wrong about this assumption since I consider myself just a newbie :)
So if anyone has actually read this post all the way down here, firstly, I want to say that I'm really appreciated for your attention. And secondly, I would be even more appreciated if you can give me a suggestion about how to handle this situation.
Thanks in Advance