Authentication doesn't work

[ahm3d]

I have a problem... the ZAP failed to authenticate when I use the fuzzer even if when I enable the "forced user mode" by selecting the lock button.
I'm sure that the credentials are right as I am testing my own app. (Also the spider is working fine even without selecting the "forced user mode" button!).
Also it is worth to mention that the authentication worked before without selecting the "forced user mode" (I didn't know about this option until I had this problem!).. I also documented the steps which describe how the ZAP authenticated successfully (with screenshots) before I had this problem.. so I wonder where the problem came from!

More info about how the problem occurs specifically.. check step 9 under the title Identifying the vulnerability using OWASP Zed Attack Proxy (ZAP) in section Vulnerability: A3-Cross-Site Scripting (XSS).. here is the link:
https://github.com/ahm3dhany/Broken-Web-Application#identifying-the-vulnerability-using-owasp-zed-attack-proxy-zap

[thc...@gmail.com]

Which ZAP version were/are you using? And version of fuzzer?

Are you selecting the context/user when fuzzing?

You should not need to select the forced user mode, if scanning (fuzz,
spider, active scan...) with context/user.

Best regards.

[ahm3d]

Thanks for your response..

ZAP version: 2.5.0

I scanning specific site so I included it in a context that I created (with form-based authentication and user credentials), and then I start fuzzing (the fuzzer do not notify me about anything related to authentication or context so I assumed that the fuzzer is already using the context I which the site included in).

[ahm3d]

Still has the problem.. could anyone help?

[thc...@gmail.com]

The fuzzer will not automatically use the authentication, you need to
add the User Message Processor. [1]


[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsFuzzHttpmessageprocessors#user-message-processor

Best regards.

[thc...@gmail.com]

Just added a comment in your other reply.

Best regards.

[ahm3d]

@thc202 sorry to bring that issue up again..
I tried to use the "User Message Processor" along with the fuzzer.. but it doesn't work. I tested it on both ZAP v2.7 & v2.5.

you can reproduce this issue if you tried these steps under the title "Identifying the vulnerability using OWASP Zed Attack Proxy (ZAP)" even when you combine it with the "User Message Processor" as I said before.

[Peter Hauschulz]

Interesting!

What is your ultimate goal here? What technology is blocking successful scanning?

It had never even occurred to me to try assigning a user to a fuzzer! since the fuzzer is started and calibrated manually, I just use it based off a request that already contains necessary token, sessionID, cookie, etc so I'm curious to hear your use case!

[ahm3d]

what is the purpose of the "User Message Processor" ? as I know -correct me if I'm wrong- it make the fuzzer do the fuzzing within certain context with a certain user.

so  in my case the page of interest which I'm doing the fuzzing at.. requires authentication (the user must be logged in).. with the right credentials assigned to the context and the User Message processor assigned to the fuzzer nevertheless the fuzzer failed to take advantage of this feature.

all the steps are here:

https://github.com/ahm3dhany/Broken-Web-Application#identifying-the-vulnerability-using-owasp-zed-attack-proxy-zap

in a section titled "Identifying the vulnerability using OWASP Zed Attack Proxy (ZAP)" under "A3-Cross-Site Scripting (XSS)"

just add the "User Message Processor along with the fuzzer (I didn't add this step because it didn't bring a result yet nevertheless @thc202 told me it would work.. so maybe I got the info wrong)

[thc...@gmail.com]

The authentication is missing the logged in/out indicators, without at
least one of them the authentication will not be attempted.
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication

Best regards.

On 14/06/2019 12:11, ahm3d wrote:
>
>
> @thc202 <https://github.com/thc202> sorry to bring that issue up again..

> I tried to use the "User Message Processor" along with the fuzzer.. but it
> doesn't work. I tested it on both ZAP v2.7 & v2.5.
>
> you can reproduce this issue if you tried these steps

> <https://github.com/ahm3dhany/Broken-Web-Application#identifying-the-vulnerability-using-owasp-zed-attack-proxy-zap>

[Peter Hauschulz]

Right! As Thc says, the logged in/out indicators are key so it knows when to authenticate or not. 

Since fuzzing is targeted manually, I'm just wondering if you had some secret special reason to not just fuzz an already authenticated session

[kingthorin+owaspzap]

> Since fuzzing is targeted manually, I'm just wondering if you had some secret special reason to not just fuzz an already authenticated session

Because while fuzzing the session may become invalid (either due to time, or the app/infrastructure trying to protect itself).

[Ahmed Hany]

Thanks @thc202, it worked.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/XIQBantcAXM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1bdefec8-f49a-67e6-388e-6d021ff80d6e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Hauschulz]

Good point!