Set authentication cookie via script

[Erhan]

Hello,

I am trying to scan one of our web apps with ZAP; most of the functionality is behind login so we need to authenticate first.

The app uses an external authentication so I've created both an authentication script and a session management script, and assigned them to the context.

The authentication script performs login and returns the authenticated message, which then picked up by the session management script to extract the auth token and set it to a variable.

Next, in the processMessageToMatchSession function, the auth token is added to http messages as cookie (e.g. auth.token=value) and so far the authentication works as expected.

However when there are multiple requests in a short timeframe, for example when I start the spider, the app starts to reset the cookie value (e.g. Set-Cookie: auth.token=false in the responses). 

And this causes the subsequent requests to contain incorrect cookie value even though the correct value is set in the session management script.

Here's how the cookie value is set:

function processMessageToMatchSession(sessionWrapper) {

var token = sessionWrapper.getSession().getValue("auth._token.auth0");

if (token == null || token == "") {

logger("Token not found");

return;

}

var msg = sessionWrapper.getHttpMessage();

var requestUri = msg.getRequestHeader().getURI().toString();

var requestMethod = msg.getRequestHeader().getMethod().toString();

var isAppUrl = requestUri.startsWith("https://appurl");

if (isAppUrl) {

// add the token as a cookie

logger("Adding auth cookie to request." + requestMethod + "->" + requestUri);

var cookies = msg.getRequestHeader().getCookieParams();

var iterator = cookies.iterator()

while (iterator.hasNext()) {

var cookie = iterator.next();

if (cookie.getName().equals("auth.token")) {

iterator.remove();

}

}

cookies.add(new HtmlParameter(COOKIE_TYPE, "auth.token", token));

msg.getRequestHeader().setCookieParams(cookies);

}

}

After this point, for the new requests (also manually via Request Editor), I can see that the processMessageToMatchSession function is called to set the cookie correctly from variable, but the cookie in the outgoing request's header still contains the reset value (auth.token=false).

I've tried:

-Running the spider with "Accept Cookies" disabled

-Adding cookie name "auth.token" to "rules.cookie.ignorelist" entry under Options -> Rule Configuration

-Moving cookie adding logic from the session management script to an Http Sender script

but ZAP keeps adding the incorrect cookie value to the requests not the one that's set in the script.

I have limited control over this behaviour of the app that resets the cookie value, so I need to make sure the correct cookie values are used.

Am I missing something? Why can't the script override the cookie value for new requests once it's reset by one of the responses?

I appreciate any help.

Best regards,

Erhan

[thc...@gmail.com]

Hi.

The Script-based Session Management method has its own cookie jar, so it
manages/maintains cookies set by the server.

You can remove existing cookies by calling, e.g.:
sessionWrapper.getSession().getHttpState().clearCookies()


Although if you are just using cookies to maintain the session you could
just use Cookie-based Session Management method (if in your auth script
you return the message setting the required cookies).

Best regards.

[Erhan]

That seems what I needed, thank you!

And regarding the use of session management script; I have a few more steps in the actual script (e.g. adding an authorization header for API requests instead of cookie), thanks for the tip!

Best regards,

Erhan