ZAP Automation not going beyond login page

[deprinc2024]

Hello All,

I am getting started with ZAP (desktop on Windows) for the first time, on an app that has authentication. 

Manually, I have no issue but when using ZAP automation, I do have an issue. 

I created a simple browser-based context using the authentication tester, with a username and password, as explained here: https://www.zaproxy.org/docs/authentication/auto-detection/.

I then use this context in my automation, with a spider and spiderAjax job. In both cases, the login is successful but nothing happens after. 

I expected that the spider or spiderAjax jobs will scan pages in my application after the login but it seems to stop after the login page. 

This is the same behaviour if I right-click on the context and select "Spider Ajax". I see only requests to static files (.css, js, imgs). 

Am I missing something? 

Thanks in advance, any input is much appreciated.

Kind regards,

Prince

[Simon Bennetts]

Hiya Prince,

Change you context to use a non headless browser, if you havnt done that already.

Then just run an authenticated AJAX Spider scan.

You should see browsers being launched, logging in, and then exploring your site.

If not then you may still get useful clues as to whats going wrong.

I have seen apps which can take a long time to initialise, so long that the AJAX Spider exists first.

Those sort of things can hopefully be fixed, but first we need to work out whats going wrong.

Cheers,

Simon

[deprinc2024]

Hello Simon,

First of all, thank you for your fast response.

My context is already using a non headless browser, Chrome.

When I run an authenticated AJAX Spider scan, I see the same behavior. 

Basically, the browser is launched, the login is successful but no other site page is scanned. 

I see requests made for static files (.css, js, images) which are referenced on the home page, but no request for any other page.

The cycle is repeated a few times i.e browser is launched again, login successful, but nothing else.

When I explore the application manually, I can see the pages which I visit, in the site tree. But this does not happen automatically.

I would like to explore the other pages of the application as well.

I am wondering if this might be related to the fact that our application is built with JSF and the pages are rendered dynamically?

Kind regards,

Prince

[Simon Bennetts]

Hi Prince,

Can you share some snippets of how the links and forms appear in the DOM?

A simple standalone PoC would be best of course, but I appreciate that will be more work.

Its difficult to debug such problems with nothing to go on :)

Cheers,

Simon

[deprinc2024]

Hi Simon,

Here is a screenshot of the tree window:

Here is a screenshot of the Authentication Test context settings:

Finally, a screenshot of the tree window after running the Ajax scan. Its almost the same as before, just a lot more login requests. No other application page is identified.

Would this be ok? Otherwise please let me know if you need more information.

Kind regards,

Prince

[Simon Bennetts]

Hi Prince,

I asked for some snippets of how the links and forms appear in the DOM :)

Those screen shots dont give that.

Also, do you definitely see that ZAP has successfully logged in when you look at the browsers launched by the AJAX Spider?

Cheers,

Simon

[deprinc2024]

Hi Simon,

My apologies for that. 

Yes,  when I launch the AJAX Spider, I can see that ZAP has successfully logged in the application. I can see the homepage.

I assume I do not need to specifically configure ZAP to look beyond the login page? It seems to stop as soon as it logs in.

Please find below a screenshot of the DOM. 

It shows the home page, after the login. I have highlighted (underlined) the main form and some links.

The links do not appear to have references but the JSF framework handles the navigation.

Kind regards,

Prince

[Simon Bennetts]

Hi Prince,

Why do frameworks do this??

That was a retorical question by the way, I dont expect you to answer it :)

You will see that the links just use an href of "#" - if they had something in there we could use then it could be so much easier.

Are you using any other JS frameworks?

We know that the AJAX Spider can struggle to explore some specific UI controls.

I cannot tell if thats the case here, but the fact that its not exploring further implies its having problems.

We do have a client add-ons which can pull data from the DOM, but theres not not enough useful info in there, thanks to JSF :(

Do you have any unit tests that drive you UI, e.g. using selenium or similar?

If not .. are you thinking of writing any?

Cheers,

Simon

[deprinc2024]

Hi Simon,

Thanks for your response.

I had the same thought :) Indeed, I can imagine that it would be easier if the links had an actual target.

We are not using any JS frameworks, just plain JS.

We do have some automated tests with selenium, using the Robot framework, and there is no issue with identifying and clicking on elements. 

Is it possible to use Selenium scripts to enhance the AJAX Spider in this case?

Kind regards,

Prince

[deprinc2024]

Hi Simon, Everyone,

I am wondering if ZAP has been tested on a JSF app before?

I am trying to determine if it is possible at all. If it is, I would like to compare and see what I am doing differently please.

Kind regards,

Prince

[kingthorin+zap]

I'm sure amongst our millions of monthly uses it tests a JSF app.

Have I done it personally, don't think so.

[deprinc2024]

Hello,

Alright. Thank you for your response.

Kind regards,

Prince