manual request editor and authentication
175 views
Skip to first unread message
JLK
Mar 26, 2018, 5:17:03 PM3/26/18
to OWASP ZAP User Group
Does the Default Context have any impact on the Manual Request Editor?
Does the HTTP Session's Active session have any impact on the Manual Request Editor?
Does Forced User Mode have any impact on the Manual Request Editor?
When I reissue a request I'm not sure what is happening with authentication.
JLK
Apr 5, 2018, 1:45:22 PM4/5/18
to OWASP ZAP User Group
I can't help but think there is some bug or something not well explained around session handling. For instance in the Manual Request Editor there is a little disabled button. When describing this "cookie" button the help for the Manual Request Editor refers to the Edit menu. The Edit menu is missing the items shown in its help.
One solid observation I have is this:
I'm not able to predict with any certainty what will happen with session handling from the manual editor. Sometimes what is there is replaced and sometimes it is not. Can anyone straighten me out on this? :)
One solid observation I have is this:
-from History select a request that was successful and contains a cookie with valid session data
-open this in the request editor
-remove the cookie header
-send the request
-response correctly shows the unauthorized message and is not allowed in (401)
-in the same editor go back to the request
-put the cookie header back in
-send the request
-response correctly shows the correct authorized message (200)
-in the same editor go back to the request
-remove the cookie header
-send the request
-the manual request editor put a session cookie back in before it sent the request
I did not expect the request I sent from the manual editor to be changed on that 3rd sending of the request.
thc...@gmail.com
Apr 5, 2018, 2:09:17 PM4/5/18
to zaprox...@googlegroups.com
Sorry this was on TODO to answer...
> Does the Default Context have any impact on the Manual Request Editor?
Not directly, the contexts themselves don't affect the manual requests.
> Does the HTTP Session's Active session have any impact on the Manual
> Request Editor?
It does, but it also depends which options are enabled or not (i.e.
"Enable (Global) HTTP State" and "Use current tracking session" in the
editor).
> Does Forced User Mode have any impact on the Manual Request Editor?
Ditto.
> When I reissue a request I'm not sure what is happening with authentication.
Indeed, this needs to be better explained, there are a lot of options
that affect how the cookies are handled in the manual request editor.
> The Edit menu is missing the items shown in its help.
Yes, that was moved to Options > Connection > Enable (Global) HTTP State
but the help was not updated before the main release. [1] If you use a
weekly release the help will be updated. [2] Thought it does not explain
in depth (yet) all the states...
> I did not expect the request I sent from the manual editor to be changed on
> that 3rd sending of the request.
Most likely the server set a cookie and the manual request editor
started to send it in the following request.
I'll try to update the help to explain all the states in the following days.
[1] https://github.com/zaproxy/zaproxy/issues/4280
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
On 05/04/18 18:45, JLK wrote:
> I can't help but think there is some bug or something not well explained
> around session handling. For instance in the Manual Request Editor there
> is a little disabled button. When describing this "cookie" button the help
> for the Manual Request Editor refers to the Edit menu. The Edit menu is
> missing the items shown in its help.
>
> <https://lh3.googleusercontent.com/-4vynE-aq1Ww/WsZeApUnzZI/AAAAAAAABdg/ZEnJoi2JMrEMBtzPa4D9fH4EcsDEhgzjQCLcBGAs/s1600/zapeditandhelp.png>
> Does the Default Context have any impact on the Manual Request Editor?
> Does the HTTP Session's Active session have any impact on the Manual
> Request Editor?
"Enable (Global) HTTP State" and "Use current tracking session" in the
editor).
> Does Forced User Mode have any impact on the Manual Request Editor?
> When I reissue a request I'm not sure what is happening with authentication.
that affect how the cookies are handled in the manual request editor.
> The Edit menu is missing the items shown in its help.
but the help was not updated before the main release. [1] If you use a
weekly release the help will be updated. [2] Thought it does not explain
in depth (yet) all the states...
> I did not expect the request I sent from the manual editor to be changed on
> that 3rd sending of the request.
started to send it in the following request.
I'll try to update the help to explain all the states in the following days.
[1] https://github.com/zaproxy/zaproxy/issues/4280
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
On 05/04/18 18:45, JLK wrote:
> I can't help but think there is some bug or something not well explained
> around session handling. For instance in the Manual Request Editor there
> is a little disabled button. When describing this "cookie" button the help
> for the Manual Request Editor refers to the Edit menu. The Edit menu is
> missing the items shown in its help.
>
Ramesh Babu M S
May 31, 2018, 6:29:10 AM5/31/18
to OWASP ZAP User Group
hi,
I do have one question here.
Whenever i try to use manual request editor to send a request, i always get 401 - Unauthorized: Access is denied due to invalid credentials.. I have enabled Global HTTP State and using cookie button before sending the request. I have also enabled forced user mode. What am i missing here? Any help would be greatly helpful. thanks in advance.
Reply all
Reply to author
Forward
0 new messages