ZAP automation framework and custom auth script

73 views
Skip to first unread message

Christoph Brunner

unread,
Jul 1, 2022, 7:50:45 AMJul 1
to OWASP ZAP User Group
Hi,

I am having problems with a custom authentication script when using the automation framework. This script is working fine when using the ZAP GUI. However, when using the automation framework, the script itself is apparently loaded but not executed.


At first, when executing the AF, everything seems to look good:
  zap@11b393de008a:/zap$ zap.sh -cmd -autorun /zap/wrk/zap.yml
  [...]
  Job authentication set method = script
  Job authentication set parameters = {UsernameField=email, scriptEngine=Oracle Nashorn, TargetUrl=MYURL, PasswordField=password, script=/zap/wrk/myauth.js}
  [...]
  Job users set name = zap
  Job users set credentials = {password=supersecretpassword, username=us...@example.org}

But the authentication script is never executed.

The log file shows something strange:
$ less ~/.ZAP/zap.log
2022-07-01 11:23:43,568 [main ] INFO ScriptBasedAuthenticationMethodType - Successfully loaded new script for ScriptBasedAuthentication: ScriptBasedAuthenticationMethod [script=org.zaproxy.zap.extension.script.ScriptWrapper@4597e6e3, paramValues={UsernameField=null, TargetUrl=null, PasswordField=null, credentialsParamNames=[Username, Password]]
2022-07-01 11:23:43,574 [main ] INFO ScriptBasedAuthenticationMethodType - Loaded script:myauth.js



The relevant parts of the config file:
env:
  contexts:
    - name: "myContext"
      urls:
      - "MYURL"
[...]
authentication:
  method: "script"
  parameters:
    script: "/zap/wrk/myauth.js"
    scriptEngine: "Oracle Nashorn"
    TargetUrl: "MYURL/login"
    UsernameField: "email"
    PasswordField: "password"
  verification:
    method: "response"
    loggedInRegex: "href=\\\"\\/logout\\/\\\">Log out<\\/a>"
    loggedOutRegex: "<title>Sign up or Sign in<\\/title>"
  sessionManagement:
    method: cookie
  users:
  - name: zap
    credentials:
      username: "us...@example.org"
      password: "supersecretpassword"
jobs:
- type: spider
  user: zap
- type: passiveScan-wait
  name: passiveScan-wait
  parameters:
    maxDuration: 0


I am confused as to why the script was loaded but not executed.
Logging in the script would indicate the script execution.

Simon Bennetts

unread,
Jul 1, 2022, 8:32:12 AMJul 1
to OWASP ZAP User Group
The authentication script should be run whenever ZAP determines it is needed, and you probably wont see it in the log if you're using the default logging level.
The best way to tell if authentication is running is to create a stats test: https://www.zaproxy.org/docs/desktop/addons/automation-framework/tests/#statistics
Check the "auth" stats when running in the desktop, then add suitable values based on what you are seeing there.

Cheers,

Simon

Christoph Brunner

unread,
Jul 4, 2022, 10:26:48 AMJul 4
to OWASP ZAP User Group
Hi Simon,

I have now tested this with the GUI: when using the automation framework YAML file, the values for stats.auth.sucess and stats.auth.failure always remain 0.
Looking at the very first Spider GET request, the response contains the string that matches the loggedOutRegex.
However, there is not a single request in the History tab.

It also seems to be me that this problem sounds very much like the one reported by Max Schlosser in March 2022: https://groups.google.com/g/zaproxy-users/c/blg_7qu5gTw/m/Y_iVR2XbEQAJ

Simon Bennetts

unread,
Jul 5, 2022, 4:24:29 AMJul 5
to OWASP ZAP User Group
Hiya,

The spider requests go to the Spider tab, not the History tab.
If you can reproduce the problem using the AF in the Desktop then this will hopefully make it easier to debug.
Its worth noting that you will need to change your config to make sure you load your script(s) from the right location - that will be different if you are running the ZAP desktop locally vs the command line in docker.

Try to get down to a minimal test case, eg just making one request using the requester job: https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-requestor/
Then check to see that there are no errors in the zap.log file https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Cheers,

Simon

Christoph Brunner

unread,
Jul 8, 2022, 9:16:03 AMJul 8
to OWASP ZAP User Group
So I figured it out. The main problem was the spider job spec in the YAML file, which was also posted in the first message, was incorrect:
  jobs:
  - type: spider
    user: zap

This should instead be:
  jobs:
  - type: spider
    parameters:
      user: zap


In case other people also run into problems with custom authentication scripts: it proved to be useful to activate debug logging for the custom authentication scripts. This can be done by adding the following lines to the log4j.properties file in ~/.ZAP
  logger.authscript.name = org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType
  logger.authscript.level = debug

Simon Bennetts

unread,
Jul 12, 2022, 7:00:28 AMJul 12
to OWASP ZAP User Group
Thanks for letting us know!
We should provide better yaml validation to make these sort of mistakes more obvious :/

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages