How to grab session token ?

[Abhishek Jha]

Hi All , I want to know if somebody have the idea on how to grab session token/id in the authentication.js script ,which is a part of af plans of authenticating zap with selenium.

This is the method in the script :

function messageHandler(ctx, msg) {
    if (ctx.isFromClient()) {
        return;
    }
    var url = msg.getRequestHeader().getURI().toString();
    logger("messageHandler " + url);
    //if (url === juiceshopAddr + "rest/user/login" && msg.getRequestHeader().getMethod() === "POST") {

        var json = JSON.parse(msg.getResponseBody().toString());
        //logger(json)
        var token = json.authentication.access_token;
        logger("Saving Juice Shop token");
        // save the authentication token
        ScriptVars.setGlobalVar("juiceshop.token", token);
    }


}

[Simon Bennetts]

Have you looked at https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/ ?

That links to all of the scripts used.

FYI in general it in not the responsibility of an authentication script to extract the session token.

Thats the responsibility of the session management handling (which can be a script or one of the other methods).

The reason for that is that authentication and session handling are handled differently by different apps - by splitting them in ZAP we can handle all of the possibilities.

Cheers,

Simon

[Abhishek Jha]

Hi Simon , Actually I am referring to the same script .When I set the URI according to my application It fails the stats test in spider and logs No token. 

My question which token we are referring to in the script : Is it access-token or session-token because it is simply stated as token in there .

[Simon Bennetts]

OK, so .. first question - do you need to use a browser to authenticate to your app?

FYI the script just uses session tokens.

[Abhishek Jha]

Yes I guess I have no other way I need to use browser for that since my application is using SSO.

[Abhishek Jha]

Hi Simon As you mentioned that the script uses session token ,And I was watching the video embedded in this blogpost : https://www.zaproxy.org/docs/authentication/session-handling/

There It was clear that when we were making post request to /whoami endpoint with the username and password then the response was token , But in my case the post request where username and password is passed it returns back cookie with loads of params set-cookie username and whole lot of things along with keyclock id ,But It does not returns any token .

And then there is another post after that with /token endpoint which returns access-token , So my question which post should I consider using ?

[Simon Bennetts]

You need to work out what how your application maitains its session.

To do that you really need to find a suitable verification URL: https://www.zaproxy.org/docs/authentication/finding-a-verification-url/

Once you have done that then you can:

• Login via your browser
  
• Request the verification URL you have chosen in your browser

This should work.

You can then replay the request for the verification URL in ZAP removing and cookies or headers that you think are used for maintaining the session one at a time.

If the request fails then you know that cookie or header is used for session management.

You then need to work out which responses contain these cookies and/or headers.

If it is just one response then that is the one you need to return from the authentication script.

You will then be able to choose which ones to use in the Header Based Session Management method: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-header/

If they are returned across multiple repsponse then you will need to collect them yourself.

You will also probably need to create a custom script for session management.

Does that make sense?

Cheers,

Simon

[Abhishek Jha]

Yes that perfectly makes sense Simon, Thanks for your help. I will try using this method.