JSON-Based Authentication does not work
589 views
Skip to first unread message
yuto danno
Aug 22, 2022, 4:10:46 AM8/22/22
to OWASP ZAP User Group
ver : OWASP ZAP 2.11.1
I want to use OWASP ZAP to authenticate a user for scanning a web application.
The login method is executing login API from the web server.
- Procedure to be performed
1. Start a browser with manual Explore.
2. Access the target web application URL in the browser.
3. Enter the user name and password on the login screen.
4. Log in.
5. Include the URL of the web application in the context from the UI of OWASP ZAP.
6.Look for POST request of login API from UI of OWASP ZAP, select "flag as Context", and add it to the context with URL:JSON-Based Authentication of the web application.
7. Configure the authentication method. The following are the settings
-Login Form Target URL*:
URL of the server to which the login API is POSTed
-URL to GER Login Page :
URL of the server to which the login API is POSTed
- Login Request POST Data *:
{"username":"{%username%}", "password":"{%password%}"}
- Username Parameter*:
Username
- Password Parameter*:
8. Add user in session properties.
9. Click "OK" in the session properties to save the settings.
10. Click "Force User Mode disable" in OWASP ZAP UI to enable it.
11. Select the added user in the Dynamic Scan Settings and start scanning.
- Execution Result
The POST request for the login API is 400, which is a Bad Request, and the authentication does not pass. Checking the payload, username and password values are not configured.
For example, the payload is empty, or random values are included, and the results are not as expected.
Authentication passes in Manual Explore, but in Dynamic Scan, authentication does not work properly.
I am sorry, but could you please help me with a solution?
I want to use OWASP ZAP to authenticate a user for scanning a web application.
The login method is executing login API from the web server.
- Procedure to be performed
1. Start a browser with manual Explore.
2. Access the target web application URL in the browser.
3. Enter the user name and password on the login screen.
4. Log in.
5. Include the URL of the web application in the context from the UI of OWASP ZAP.
6.Look for POST request of login API from UI of OWASP ZAP, select "flag as Context", and add it to the context with URL:JSON-Based Authentication of the web application.
7. Configure the authentication method. The following are the settings
-Login Form Target URL*:
URL of the server to which the login API is POSTed
-URL to GER Login Page :
URL of the server to which the login API is POSTed
- Login Request POST Data *:
{"username":"{%username%}", "password":"{%password%}"}
- Username Parameter*:
Username
- Password Parameter*:
8. Add user in session properties.
9. Click "OK" in the session properties to save the settings.
10. Click "Force User Mode disable" in OWASP ZAP UI to enable it.
11. Select the added user in the Dynamic Scan Settings and start scanning.
- Execution Result
The POST request for the login API is 400, which is a Bad Request, and the authentication does not pass. Checking the payload, username and password values are not configured.
For example, the payload is empty, or random values are included, and the results are not as expected.
Authentication passes in Manual Explore, but in Dynamic Scan, authentication does not work properly.
I am sorry, but could you please help me with a solution?
yuto danno
Aug 22, 2022, 4:34:19 AM8/22/22
to OWASP ZAP User Group
Added due to omission
- Password Parameter*:
password
- Password Parameter*:
password
2022年8月22日月曜日 17:10:46 UTC+9 yuto danno:
Simon Bennetts
Aug 22, 2022, 8:01:12 AM8/22/22
to OWASP ZAP User Group
Forced User mode is just for testing.
It should not be enabled if you specify a user when scanning - those options could potentially conflict with each other.
To learn more about ZAP authentication handling see https://www.zaproxy.org/docs/authentication/
We also have lots of videos on https://www.zaproxy.org/videos-list/ - search for "auth" in the tags.
Cheers,
Simon
yuto danno
Aug 23, 2022, 1:16:23 AM8/23/22
to OWASP ZAP User Group
Thank you for your response.
I ran it without Forced User mode enabled, but it did not authenticate properly.
The username and password should be configured in the payload of the API POST request, but they are not.
If you look at the body of the POST request that is failing, it contains random values.
I checked the videos and documentation, but could not find anything about the behavior regarding JSON-Based Authentication.
Could you please help me?
I ran it without Forced User mode enabled, but it did not authenticate properly.
The username and password should be configured in the payload of the API POST request, but they are not.
If you look at the body of the POST request that is failing, it contains random values.
I checked the videos and documentation, but could not find anything about the behavior regarding JSON-Based Authentication.
Could you please help me?
2022年8月22日月曜日 21:01:12 UTC+9 psi...@gmail.com:
ar
Aug 23, 2022, 1:32:09 AM8/23/22
to zaprox...@googlegroups.com
thank you Simon
best regards
пн, 22 авг. 2022 г. в 15:01, Simon Bennetts <psi...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/78b2d1e1-805d-4017-b795-39fca69b2684n%40googlegroups.com.
Simon Bennetts
Aug 23, 2022, 3:13:53 AM8/23/22
to OWASP ZAP User Group
In that case you need to debug it.
Have a look at this FAQ: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/
Its for form based auth, but JSON based auth is essentially the same.
Cheers,
Simon
yuto danno
Aug 23, 2022, 5:19:54 AM8/23/22
to OWASP ZAP User Group
Thank you for your response.
We have tried the following, but it does not work.FAQ: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/
What is debugging?
I want to configure the payload of an API POST request to be username and password, but when I look at the API POST response, I get random values.
What settings do I need to change?
2022年8月23日火曜日 16:13:53 UTC+9 psi...@gmail.com:
thc...@gmail.com
Aug 23, 2022, 5:29:17 AM8/23/22
to zaprox...@googlegroups.com
It seems that's just the active scanner scanning the login URL, if you
don't want that you can exclude it in the session.
https://www.zaproxy.org/docs/desktop/ui/dialogs/session/#exclude-from-scanner
Best regards.
>>>> <https://groups.google.com/d/msgid/zaproxy-users/78b2d1e1-805d-4017-b795-39fca69b2684n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>
don't want that you can exclude it in the session.
https://www.zaproxy.org/docs/desktop/ui/dialogs/session/#exclude-from-scanner
Best regards.
>>>> .
>>>>
>>>
>
Simon Bennetts
Aug 23, 2022, 6:30:50 AM8/23/22
to OWASP ZAP User Group
See the diagnosing problems section: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/#diagnosing-problems
If you cant get that to work let us know how far you get and what you are seeing.
Cheers,
Simon
yuto danno
Aug 25, 2022, 6:00:59 PM8/25/22
to zaprox...@googlegroups.com
After running a dynamic scan in the ZAP Desktop UI, I checked the History tab and was able to confirm that I was authenticated by confirming that I was making a POST request, which is an authentication request.
Thank you very much.
Now that I was able to authenticate with the ZAP Desktop UI, I would like to run a dynamic scan in Docker.
I have exported the context file and run it with the following command.
# docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com -n . /auth_json.context -U "username" -j
With ZAP Desktop UI, I can check the target URLs diagnosed, but is there any way to check the target URLs diagnosed in the dynamic scan in Docker?
I can't see the target URLs that were diagnosed, only the log "Total of number URLs".
I confirmed that the result of dynamic scan in ZAP Desktop UI and the result of dynamic scan in Docker are the same.
Is it possible to increase the number of diagnostic items in Docker's baseline scan?
The full scan of Docker has many diagnostic items, but it is an active scan and we are aware that it is dangerous.
Thank you very much.
Now that I was able to authenticate with the ZAP Desktop UI, I would like to run a dynamic scan in Docker.
I have exported the context file and run it with the following command.
# docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com -n . /auth_json.context -U "username" -j
With ZAP Desktop UI, I can check the target URLs diagnosed, but is there any way to check the target URLs diagnosed in the dynamic scan in Docker?
I can't see the target URLs that were diagnosed, only the log "Total of number URLs".
I confirmed that the result of dynamic scan in ZAP Desktop UI and the result of dynamic scan in Docker are the same.
Is it possible to increase the number of diagnostic items in Docker's baseline scan?
The full scan of Docker has many diagnostic items, but it is an active scan and we are aware that it is dangerous.
2022年8月23日(火) 19:30 Simon Bennetts <psi...@gmail.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/44829a82-bbf3-4723-a3e9-4337e3351bc1n%40googlegroups.com.
Simon Bennetts
Aug 26, 2022, 3:32:39 AM8/26/22
to OWASP ZAP User Group
I'd recommend another approach.
With authentication working in the ZAP Desktop UI create an Automation Plan using that context.
Add Job Test https://www.zaproxy.org/docs/desktop/addons/automation-framework/tests/ to check any stats you think are important.
Test the plan in the desktop to check it work the way you expect.
Then export the plan - you can run that in Docker.
You will need to change things like script paths if you use them.
Let us know how you get on with that.
Cheers,
Simon
yuto danno
Aug 26, 2022, 6:21:51 AM8/26/22
to zaprox...@googlegroups.com
Thank you!
To run the Automation Plan, create a YAML file and run the following command.
# . /zap.sh -cmd -autorun zap.yaml
Then check if you can run it in docker.
# docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/wrk/zap.yaml"
To run the Automation Plan, create a YAML file and run the following command.
# . /zap.sh -cmd -autorun zap.yaml
Then check if you can run it in docker.
# docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/wrk/zap.yaml"
2022年8月26日(金) 16:32 Simon Bennetts <psi...@gmail.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4bff6430-8633-4468-9f90-49ae6a577ed8n%40googlegroups.com.
Simon Bennetts
Aug 26, 2022, 6:28:57 AM8/26/22
to OWASP ZAP User Group
Create the AF plan in ZAP via the Automation tab: https://www.zaproxy.org/docs/desktop/addons/automation-framework/gui/
Use the context you have configured and test the plan in the GUI.
Add Job Tests to check everything keeps working the way you expact and retest in the GUI.
Then save the plan - that generates the YAML file for you.
You should be able to then run that plan in docker with the command you specified, and the Job Tests will sanity check that it keeps working as expected.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages