Http Session Tab

[Anthony Fernando Amirtharaj]

Hi All, 

  I am new to ZAP, I followed some of the videos in the ZAP website. 

   I explored my SPA application manually, I noticed that the Http Session tab is completely empty whereas when I open, Session storage from developers tool I can see all the sessions created by the application. Can you please tell me why is it so?

[kingthorin+owaspzap]

Your session token probably isn't a value known to ZAP. You can set it either from the params tab (IIRC) or through the Options dialog.

https://www.zaproxy.org/docs/desktop/start/features/httpsessions/

[Simon Bennetts]

Ah, this is a confusion of terms.

ZAP is tracking HTTP Sessions: https://www.zaproxy.org/docs/desktop/start/features/httpsessions/

Those are completely different to browser session storage:  https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

OK, so some apps may store HTTP session details in browser session storage, but they are still logically different.

Does that make sense?

Cheers,

Simon

[Anthony Fernando Amirtharaj]

Yes it does. 

So that's the reason I see authorization token in Param Tab. 

So what if I want to use any of the browser session storage object to construct any header request/ body?

So When I manually test the application and later set the authorization token and Anti-CRSF token, I am still having issues with Ajax Spider. I have to use this token for further request

The ajax spider always tries to input random values for authentication. 

What will be your suggestion for this?

[Anthony Fernando Amirtharaj]

Just adding up my previous post. 

I performed different thing with auth. 

1. I config JSON auth, added context and also the session as http so that I can alter the http sender request header as per my requirement. (forced User)

   -> Performed Active Scan, the history tab shows POST request is successful as I monitored the request and response.  (this happens only for the first time, later again I have to restart the session and do all the above config)

   -> Later I perform Ajax Spider, nothing happens here. It doesn't go beyond login Page. 

2. I have written a jython script for Auth, HttpSender and Also SessionManagement 

    -> Auth script works fine as I can see the script console, I see HttpSender working fine as well (using this alter the request header to add globally set auth token). However, the session works but like you mentioned I am unable to retrieve browser session storage. 
   

I not sure where I am going wrong, or what steps am I ignoring here.  I am not able to go past Login Page. 

[Anthony Fernando Amirtharaj]

Hi, 

Even Today I tried to auth using script, it works fine but it either loops the login script or just triggers once and later its auth access nothing goes beyond login page for me to find any vul. 

Login Page URL: https://localhost:4200/login?returnUrl=%2F

Login Page API URL: http://localhost:4200/api/systems/1/login

I have written a auth script which creates a custom header for the app and also the request body. It works fine. 
I have also written http_sender for initiator.AJAX to use the globally set authorization token for further request.

Default Context Setting 

Auth : script based 

          Target URL is Login Page API URL

           Check Every Request - Logout regex \Q{"userid": X}\E

User : created valid user

Session : Http Session  

Forced the User ( including the lock Icon)


Right Clicked on the site tree i.e https://localhost:4200 and clicked active scan. 

I get the following Output

Can you please advice me where I am going wrong? Or please let me know how to automate Activate Scan and Ajax Spider to run through the entire application to find VUL?

After being successful in this, I can start working with ZAP API. 

Thanks, 

Anthony

[Simon Bennetts]

Hi Anthony,

If you need to use the ajax spider to explore your app, and if the app requires the browser to maintain state then you need to inject that state into the browser using a ZAP selenium script.

I think I cover this in this video: https://play.vidyard.com/igf3A8UdZ6QAGiFjEpLH86

We are in the process of documenting this better https://www.zaproxy.org/docs/authentication/ but as you will see its WIP :/

Have a look at that vid and then ask any more questions you have here - your questions may well help us write that documentation :)

Cheers,

Simon

[Anthony Fernando Amirtharaj]

Hi Simon, 

Those links were quite useful. thanks. 

I was trying to use Selenium as stand alone  type script, 

I get the following error when I  import org.openqa.selenium.By

ZAP version 2.11.1

TypeError: Access to host class org.openqa.selenium.By is not allowed or does not exist.org.graalvm.polyglot.PolyglotException: TypeError: Access to host class org.openqa.selenium.By is not allowed or does not exist.

Script :

Testing.js

var By = Java.type('org.openqa.selenium.By');
var Thread = Java.type('java.lang.Thread');
var juiceshop = 'http://localhost:3000/';
var username = 'te...@test.com';
var password = 'test123';

var extSel = org.parosproxy.paros.control.Control.getSingleton().
                                getExtensionLoader().getExtension(
                                        org.zaproxy.zap.extension.selenium.ExtensionSelenium.class)

var wd = extSel.getWebDriverProxyingViaZAP(1, "firefox");

I am using Graal.js Engine (screenshot is just sample) 

 

Java Version : 

Can you please advice what should be done in order to use Selenium through Graal.js.  and type (any other except selenium)?

[Varun Borar]

Hi, 

Have you found a solution or a workaround for the same? 
I'm facing the same issue.

Thanks

[Simon Bennetts]

This problem is caused by the way Graal.js loaads classes.

I'm afraid the only work arounds right now are to:

• Use Java 11 and the Oracle Nashorn JS engine
• Use another scripting language

We are looking into alternative solutions but so far it looks like Graal.js will not be able to do what we need.

Cheers,

Simon