Issue while providing username/Password with context

[Jui k]

Hi,

I want to automate ZAP scan for my site by using context for authentication,

But when I am checking form based authentication details after providing username/password on webpage, its not getting captured in contexts authentication details.

Following are the HTML elements for username and password:

Username:

<input class="inputBox input" type="text" aria-describedby="" placeholder="Username" id="47:2;a" data-aura-rendered-by="51:2;a" data-interactive-lib-uid="2">

Password:

<input class="inputBox input" type="password" aria-describedby="" placeholder="Password" id="59:2;a" data-aura-rendered-by="63:2;a" data-interactive-lib-uid="3">

Please let me know the solution.

Thanks in advance!

~Jui

[Simon Bennetts]

Hiya,

Can you explain in a bit more detail what you are are doing and the problems your are experiencing?

Have a look at this FAQ for more details about setting up form based authentication: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/

Cheers,

Simon

[Jui k]

Hi,

I want to scan the pages for the following salesforce site which need to do login with username and password.

So as suggested in ZAP tutorial I am using context for authentication and followed the steps.

But issue I am facing is in form based authentication username and password is not getting recorded in context PFA the screenshot of context form.

https://thermo-psl-hc-solutions.cs36.force.com/employee

Thanks!

~Jui

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/763677d1-ea2c-4492-86e0-60716f4beb18n%40googlegroups.com.

[Simon Bennetts]

I've just had a quick look at this site and TBH it could prove 'tricky'.

ZAP will be able to handle it but it will take some non trivial configuring.

I submitted a username and password of ZAP and that resulted in a series of requests including a POST to https://thermo-psl-hc-solutions.cs36.force.com/employee/s/sfsites/aura?r=4&applauncher.LoginForm.login=1

• message=%7B%22actions%22%3A%5B%7B%22id%22%3A%22114%3Ba%22%2C%22descriptor%22%3A%22apex%3A%2F%2Fapplauncher.LoginFormController%2FACTION%24login%22%2C%22callingDescriptor%22%3A%22markup%3A%2F%2FsalesforceIdentity%3AloginForm2%22%2C%22params%22%3A%7B%22username%22%3A%22ZAP%22%2C%22password%22%3A%22ZAP%22%2C%22startUrl%22%3A%22%2Femployee%2Fs%2F%22%7D%2C%22version%22%3A%2250.0%22%7D%5D%7D&aura.context=%7B%22mode%22%3A%22PROD%22%2C%22fwuid%22%3A%22r9KGPExoo3AsD7hYz77h_Q%22%2C%22app%22%3A%22siteforce%3AloginApp2%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fsiteforce%3AloginApp2%22%3A%22vnhBtFVfVynX5gzVl_c_-A%22%7D%2C%22dn%22%3A%5B%5D%2C%22globals%22%3A%7B%7D%2C%22uad%22%3Afalse%7D&aura.pageURI=%2Femployee%2Fs%2Flogin%2F%3Fec%3D302%26startURL%3D%252Femployee%252Fs%252F&aura.token=undefined

Obviously I dont have valid credentials so I cant see what other requests are involved for a valid login.

But looking at the other requests I suspect that you will really need to login using a browser.

I show how you can do this in the ZAP in Ten ADDO Workshop videos on https://www.alldaydevops.com/zap-in-ten

I recommend watching all of the Workshop videos as what you will need to do is non trivial and so you will need a fairly good understanding of what ZAP expects.

Cheers,

Simon

[Jui k]

Thanks a lot for your response!!

I have gone through Ten ADDO videos you shared and its really nice and helpful.

The issues I am facing is-

   1.How can I get the parameters from the POST request the way you used in video like username and password.

   2.As u suggested to login using a browser --->You mean it would be directly from the browser or from the context you want to say ?

As no relevant  POST request found in my application is there any workaround I can have ?

It would be really helpful.

Thanks!

~Jui

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8e77c170-4d67-4bf0-bcc7-94631c83802fn%40googlegroups.com.

[Jui k]

Hi,

I have seen all the post requests are going in the same format for all the pages inside after doing login,so I am not able to create context for authentication.

I have given a try with HUD so I was about to scan each page individually but that also not getting enabled for this site in firefox.

Also tried to provide the link of each individual page directly in the automated scan but still due to login required its landing on the home page for login.

Is there any workaround I can try in ZAP for my application?

e,g,:

message=%7B%22actions%22%3A%5B%7B%22id%22%3A%2212305%3Ba%22%2C%22descriptor%22%3A%22serviceComponent%3A%2F%2Fui.instrumentation.components.beacon.InstrumentationBeaconController%2FACTION%24sendData%22%2C%22callingDescriptor%22%3A%22UNKNOWN%22%2C%22params%22%3A%7B%22batch%22%3A%5B%7B%22topic%22%3A%22ailtn%22%2C%22schemaType%22%3A%22LightningInteraction%22%2C%22payload%22%3A%22%7B%5C%22id%5C%22%3A%5C%22ltng%3Ainteraction%5C%22%2C%5C%22ts%5C%22%3A799523%2C%5C%22pageStartTime%5C%22%3A1602134648730%2C%5C%22owner%5C%22%3Anull%2C%5C%22unixTS%5C%22%3Afalse%2C%5C%22eventType%5C%22%3A%5C%22system%5C%22%2C%5C%22eventSource%5C%22%3A%5C%22locker-method-data%5C%22%2C%5C%22attributes%5C%22%3A%7B%5C%22document.getElementById%5C%22%3A261%2C%5C%22cdnEnabled%5C%22%3Afalse%2C%5C%22uriDefsEnabled%5C%22%3Afalse%2C%5C%22gates%5C%22%3A%7B%7D%7D%2C%5C%22locator%5C%22%3Anull%2C%5C%22sequence%5C%22%3A92%2C%5C%22page%5C%22%3A%7B%5C%22context%5C%22%3A%5C%22home%5C%22%2C%5C%22attributes%5C%22%3A%7B%5C%22url%5C%22%3A%5C%22%2Femployee%2Fs%2F%5C%22%7D%7D%7D%22%7D%5D%2C%22traces%22%3A%22%5B%5D%22%2C%22metrics%22%3A%22%5B%7B%5C%22owner%5C%22%3A%5C%22lds%5C%22%2C%5C%22name%5C%22%3A%5C%22store-size-count%5C%22%2C%5C%22type%5C%22%3A%5C%22PercentileHistogram%5C%22%2C%5C%22ts%5C%22%3A1602135448256%2C%5C%22value%5C%22%3A%5B613%5D%7D%2C%7B%5C%22owner%5C%22%3A%5C%22lds%5C%22%2C%5C%22name%5C%22%3A%5C%22store-watch-subscriptions-count%5C%22%2C%5C%22type%5C%22%3A%5C%22PercentileHistogram%5C%22%2C%5C%22ts%5C%22%3A1602135448257%2C%5C%22value%5C%22%3A%5B2%5D%7D%2C%7B%5C%22owner%5C%22%3A%5C%22lds%5C%22%2C%5C%22name%5C%22%3A%5C%22store-snapshot-subscriptions-count%5C%22%2C%5C%22type%5C%22%3A%5C%22PercentileHistogram%5C%22%2C%5C%22ts%5C%22%3A1602135448257%2C%5C%22value%5C%22%3A%5B0%5D%7D%5D%22%7D%7D%5D%7D&aura.context=%7B%22mode%22%3A%22PROD%22%2C%22fwuid%22%3A%22r9KGPExoo3AsD7hYz77h_Q%22%2C%22app%22%3A%22siteforce%3AcommunityApp%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fsiteforce%3AcommunityApp%22%3A%2244aIzVeNcWOtblkvfNnA2A%22%2C%22COMPONENT%40markup%3A%2F%2FforceCommunity%3AobjectHome%22%3A%22J0AC3jPc_mlBh6y6BhDZYw%22%2C%22COMPONENT%40markup%3A%2F%2Fforce%3AinputField%22%3A%22wVdeCIC5qRPvrwSA_stS8A%22%2C%22COMPONENT%40markup%3A%2F%2FforceCommunity%3ArecordDetail%22%3A%22M2vLZ6mu0fU_Bv5dOKNKdg%22%7D%2C%22dn%22%3A%5B%5D%2C%22globals%22%3A%7B%22density%22%3A%22VIEW_ONE%22%7D%2C%22uad%22%3Afalse%7D&aura.pageURI=%2Femployee%2Fs%2F&aura.token=eyJub25jZSI6ImJHM25lR3RCb0swdzFRdU1GNDBNUTRrbHNSUjhucTZHV3UwZXdUejZpelFcdTAwM2QiLCJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IntcInRcIjpcIjAwRDJoMDAwMDAwOGI0aFwiLFwidlwiOlwiMDJHMmgwMDAwMDAwWXFYXCIsXCJhXCI6XCJjYWltYW5zaWduZXJcIn0iLCJjcml0IjpbImlhdCJdLCJpYXQiOjE2MDIxMzQ2NzY3MTcsImV4cCI6MH0%3D..Z2v6HORCFtO7OsROKluRx-DI94MpUyWRJAWXQ68vVfA%3D

Thanks!!

~Jui

[Simon Bennetts]

Can you explain what your end goal is here?

Do you just want to scan ZAP using the Desktop or do you want to automate the scans?

If you are happy just using the desktop then you can launch your browser from ZAP with the HUD disabled and then manually authenticate.

If you want to set up automation with ZAP then you will need to configure ZAP to understand how your application authenticates and manages its sessions. And to do that you will need to understand them yourself.

Cheers,

Simon

[Jui k]

Hi Simon,

Just for now I will use desktop application and will scan the pages as you suggested. 

I want to automate the scan but am facing issues for authentication.

Will try to explore it more .

Thanks a lot for your suggestions!!

Regards,

Jui

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e15ca728-2a2f-4893-b870-e992f3f5fb95n%40googlegroups.com.