Testing Authentication Script
526 views
Skip to first unread message
Mitchell
Jul 13, 2018, 9:49:04 AM7/13/18
to OWASP ZAP User Group
Hey,
I am new to Zap, and I've got a quick question.
When writing an authentication script (or any other script for that matter), is there a way to run it independent of everything else for the purpose of debugging?
I've put together a script to capture authentication tokens for use in following requests, but I am not sure how to check if the script works, see log output from the script, or know if it is even running when I attempt to spider my webapp.
I feel like I am missing something obvious here.
I am new to Zap, and I've got a quick question.
When writing an authentication script (or any other script for that matter), is there a way to run it independent of everything else for the purpose of debugging?
I've put together a script to capture authentication tokens for use in following requests, but I am not sure how to check if the script works, see log output from the script, or know if it is even running when I attempt to spider my webapp.
I feel like I am missing something obvious here.
Thanks!
kingthorin+owaspzap
Jul 13, 2018, 1:17:52 PM7/13/18
to OWASP ZAP User Group
Just go ahead and try using it. To get console output just add some print statements.
Mitchell
Jul 13, 2018, 5:16:17 PM7/13/18
to OWASP ZAP User Group
So I have tried inserting print statements for the purposes of debugging, and for a HTTP Sender script I've written I am able to see the print statements I've written it when I spider my webapp.
However, it seems like the the Authentication script is either never run, or its print statements are not producing output.
The very first line of my authentication script looks like this:
so it should be fairly obvious if it is running.
However, it seems like the the Authentication script is either never run, or its print statements are not producing output.
The very first line of my authentication script looks like this:
function authenticate(helper, paramsValues, credentials) {
print("IN AUTH RIGHT NOW")so it should be fairly obvious if it is running.
I am also fairly confident in how I set up the session authentication:
Where "errors" is a contained in the returned message whenever a request is made attempts to access a page without authentication.Is there a reason why the script would not execute beyond the configuration I have already done?
kingthorin+owaspzap
Jul 13, 2018, 9:04:49 PM7/13/18
to OWASP ZAP User Group
I’m confused an http sender is not an authentication script, they’re distinct types.
Mitchell
Jul 16, 2018, 8:52:09 AM7/16/18
to OWASP ZAP User Group
Sorry, perhaps I worded this poorly.
I have made 2 separate scripts; an HTTP Sender and an Authentication. I am able to see output from the HTTP Sender script, so I know that it is being called and I know my print statements are working correctly.
I have made 2 separate scripts; an HTTP Sender and an Authentication. I am able to see output from the HTTP Sender script, so I know that it is being called and I know my print statements are working correctly.
However, I am unable to see any output from my authentication script, which leads me to believe that it is not being called.
In my authentication script logged out regex pattern I have tried "error" (as noted in my earlier post) which is part of the message body whenever someone makes a request without proper authentication. This does not appear to cause the script to be called.
I also attempted to set the logged out regex to " " (a white-space character) in an attempt to try a more general regex that should match with some part of the response. This did not cause the authentication script to print any output either (suspecting it still wasn't called).
In my authentication script logged out regex pattern I have tried "error" (as noted in my earlier post) which is part of the message body whenever someone makes a request without proper authentication. This does not appear to cause the script to be called.
I also attempted to set the logged out regex to " " (a white-space character) in an attempt to try a more general regex that should match with some part of the response. This did not cause the authentication script to print any output either (suspecting it still wasn't called).
Is there any kind of setting that would prevent the Authentication script I've made from being called? I have set the authentication method to "Script-Based" and have loaded the script I've made (as shown in my above posting).
Thanks.
Thanks.
kingthorin+owaspzap
Jul 16, 2018, 12:22:03 PM7/16/18
to OWASP ZAP User Group
Try ".*error.*".
Mitchell
Jul 17, 2018, 11:50:27 AM7/17/18
to OWASP ZAP User Group
I've tried your suggestion, with the same result.
Unfortunately it still appears the Authentication script is not being called.
kingthorin+owaspzap
Jul 17, 2018, 1:56:17 PM7/17/18
to OWASP ZAP User Group
Is the script enabled in the Script tree?
Mitchell
Jul 17, 2018, 2:09:43 PM7/17/18
to OWASP ZAP User Group
There doesn't appear that the enable option in the script tree is available for the authorization script.
Just for reference, I do have the option to enable/disable my HTTP sender script.
Just for reference, I do have the option to enable/disable my HTTP sender script.
kingthorin+owaspzap
Jul 17, 2018, 2:21:10 PM7/17/18
to OWASP ZAP User Group
DOH, yup auth scripts don't need that. Sorry :(
The only reason that I'm aware of that it wouldn't trigger is if the logged-in/logged-out indicator are not encountered.
kingthorin+owaspzap
Jul 17, 2018, 2:22:03 PM7/17/18
to OWASP ZAP User Group
thc...@gmail.com
Jul 17, 2018, 2:22:47 PM7/17/18
to zaprox...@googlegroups.com
Also, check that the target (all URLs required) is in context. That
would be another reason.
Best regards.
would be another reason.
Best regards.
thc...@gmail.com
Jul 17, 2018, 2:24:04 PM7/17/18
to zaprox...@googlegroups.com
The print statements should be shown in the Script Console tab (bottom
text area) if not the script is not running, anyway, to be sure you
could use:
Java.type("org.parosproxy.paros.view.View").getSingleton().getOutputPanel().appendAsync("Auth
called\n")
to show in the Output tab (which does not depend on the script buffers,
if for some reason that was not working properly).
Best regards.
On 13/07/18 22:16, Mitchell wrote:
> So I have tried inserting print statements for the purposes of debugging,
> and for a HTTP Sender script I've written I am able to see the print
> statements I've written it when I spider my webapp.
>
> However, it seems like the the Authentication script is either never run,
> or its print statements are not producing output.
> The very first line of my authentication script looks like this:
>
> function authenticate(helper, paramsValues, credentials) {
> print("IN AUTH RIGHT NOW")
>
> so it should be fairly obvious if it is running.
>
> I am also fairly confident in how I set up the session authentication:
>
> <https://lh3.googleusercontent.com/-UJJIPCHJFJs/W0kV3CKVEiI/AAAAAAAAAA4/vp9ausnaOm8BxehafXC5ZBQ1DVLqEmVZACLcBGAs/s1600/Capture.PNG>Where
>
text area) if not the script is not running, anyway, to be sure you
could use:
Java.type("org.parosproxy.paros.view.View").getSingleton().getOutputPanel().appendAsync("Auth
called\n")
to show in the Output tab (which does not depend on the script buffers,
if for some reason that was not working properly).
Best regards.
On 13/07/18 22:16, Mitchell wrote:
> So I have tried inserting print statements for the purposes of debugging,
> and for a HTTP Sender script I've written I am able to see the print
> statements I've written it when I spider my webapp.
>
> However, it seems like the the Authentication script is either never run,
> or its print statements are not producing output.
> The very first line of my authentication script looks like this:
>
> function authenticate(helper, paramsValues, credentials) {
> print("IN AUTH RIGHT NOW")
>
> so it should be fairly obvious if it is running.
>
> I am also fairly confident in how I set up the session authentication:
>
> "errors" is a contained in the returned message whenever a request is made
> attempts to access a page without authentication.
> <https://lh3.googleusercontent.com/-UJJIPCHJFJs/W0kV3CKVEiI/AAAAAAAAAA4/vp9ausnaOm8BxehafXC5ZBQ1DVLqEmVZACLcBGAs/s1600/Capture.PNG>Is
> attempts to access a page without authentication.
> there a reason why the script would not execute beyond the configuration I
> have already done?
> <https://lh3.googleusercontent.com/-UJJIPCHJFJs/W0kV3CKVEiI/AAAAAAAAAA4/vp9ausnaOm8BxehafXC5ZBQ1DVLqEmVZACLcBGAs/s1600/Capture.PNG>
> have already done?
>
Mitchell
Jul 17, 2018, 4:17:32 PM7/17/18
to OWASP ZAP User Group
I have tried the regex "/./g" in order to try and trigger authentication on every request no matter the response. However that also had no effect.
So I think at this point I can rule out the indicators...
So I think at this point I can rule out the indicators...
Mitchell
Jul 17, 2018, 4:22:01 PM7/17/18
to OWASP ZAP User Group
I currently have the base URL in the context followed by an asterisk for wildcard in the context. So long as the asterisk is a valid format this should cover all of the pages that I am concerned about.
I will have to try the running check that you've provided. If that works it should at least give me some means of debugging why the Authentication script isn't working.
I will have to try the running check that you've provided. If that works it should at least give me some means of debugging why the Authentication script isn't working.
Thanks!
thc...@gmail.com
Jul 17, 2018, 4:26:23 PM7/17/18
to zaprox...@googlegroups.com
Are you using .* or just * ? (It should be the former.)
Best regards.
Best regards.
kingthorin+owaspzap
Jul 17, 2018, 5:51:17 PM7/17/18
to OWASP ZAP User Group
.* is wildcard in Regex.
Mitchell
Jul 18, 2018, 8:45:02 AM7/18/18
to OWASP ZAP User Group
Sorry, that was a typo. I am using .*
On Tuesday, July 17, 2018 at 5:51:17 PM UTC-4, kingthorin+owaspzap wrote:
On Tuesday, July 17, 2018 at 5:51:17 PM UTC-4, kingthorin+owaspzap wrote:
.* is wildcard in Regex.
Mitchell
Jul 18, 2018, 8:51:20 AM7/18/18
to OWASP ZAP User Group
So as per thc202's suggestion I tried:
Java.type("org.parosproxy.paros.view.View").getSingleton().getOutputPanel().appendAsync("Auth called\n")
to see if print statements were not outputting to the console. However the above line also didn't produce any output.
The good news is I now know that there is no output because the Authenticator script isn't being called. The bad news is I still have no idea why it isn't being called.
Thank you for all the suggestions so far guys.
Do you have any more ideas?
Thank you for all the suggestions so far guys.
Do you have any more ideas?
Reply all
Reply to author
Forward
0 new messages