Hi,
I am having problems with a custom authentication script when using the
automation framework. This script is working fine when using the ZAP
GUI. However, when using the automation framework, the script itself is
apparently loaded but not executed.
At first, when executing the AF, everything seems to look good:
zap@11b393de008a:/zap$ zap.sh -cmd -autorun /zap/wrk/zap.yml
[...]
Job authentication set method = script
Job authentication set parameters = {UsernameField=email,
scriptEngine=Oracle Nashorn, TargetUrl=MYURL, PasswordField=password,
script=/zap/wrk/myauth.js}
[...]
Job users set name = zap
Job users set credentials = {password=supersecretpassword,
username=us...@example.org}
But the authentication script is never executed.
The log file shows something strange:
$ less ~/.ZAP/zap.log
2022-07-01 11:23:43,568 [main ] INFO ScriptBasedAuthenticationMethodType
- Successfully loaded new script for ScriptBasedAuthentication:
ScriptBasedAuthenticationMethod
[script=org.zaproxy.zap.extension.script.ScriptWrapper@4597e6e3,
paramValues={UsernameField=null, TargetUrl=null, PasswordField=null,
credentialsParamNames=[Username, Password]]
2022-07-01 11:23:43,574 [main ] INFO ScriptBasedAuthenticationMethodType
- Loaded script:myauth.js
The relevant parts of the config file:
env:
contexts:
- name: "myContext"
urls:
- "MYURL"
[...]
authentication:
method: "script"
parameters:
script: "/zap/wrk/myauth.js"
scriptEngine: "Oracle Nashorn"
TargetUrl: "MYURL/login"
UsernameField: "email"
PasswordField: "password"
verification:
method: "response"
loggedInRegex: "href=\\\"\\/logout\\/\\\">Log out<\\/a>"
loggedOutRegex: "<title>Sign up or Sign in<\\/title>"
sessionManagement:
method: cookie
users:
- name: zap
credentials:
username:
"us...@example.org"
password: "supersecretpassword"
jobs:
- type: spider
user: zap
- type: passiveScan-wait
name: passiveScan-wait
parameters:
maxDuration: 0
I am confused as to why the script was loaded but not executed.
Logging in the script would indicate the script execution.