Authentication Tester Failing with Site
84 views
Skip to first unread message
Alex Cantu
Oct 3, 2024, 6:08:56 PM10/3/24
to ZAP User Group
Hi folks 👋
I've dabbled with ZAProxy for a while now, but I can't get Authentication on to work for the life of me.
The basis of my setup comes from this video:
https://play.sonatype.com/watch/iErtsKxpwKn4m8iRoovtH9?
I've set up the context with Form-based Authentication, using the POST data "email={%username%}&password={%password%}", and I've set up a User with the respective username and password.
However, when running the Authentication Tester, I've noticed that the POST requests to the /login endpoint fail with a "419 Unknown".
The interesting bit is that I see the "email" and "password" parameters being used in the POST request, but it's missing another parameter that I've noticed when testing this manually, and that's the "_token" parameter. I suspect this has something to do with the 419 error code that I'm seeing.
The _token parameter i used as the anti-CSRF token. How do I ensure this parameter is included in these POST requests by the Authentication Test?
Thanks for your help!
I've dabbled with ZAProxy for a while now, but I can't get Authentication on to work for the life of me.
The basis of my setup comes from this video:
https://play.sonatype.com/watch/iErtsKxpwKn4m8iRoovtH9?
I've set up the context with Form-based Authentication, using the POST data "email={%username%}&password={%password%}", and I've set up a User with the respective username and password.
However, when running the Authentication Tester, I've noticed that the POST requests to the /login endpoint fail with a "419 Unknown".
The interesting bit is that I see the "email" and "password" parameters being used in the POST request, but it's missing another parameter that I've noticed when testing this manually, and that's the "_token" parameter. I suspect this has something to do with the 419 error code that I'm seeing.
The _token parameter i used as the anti-CSRF token. How do I ensure this parameter is included in these POST requests by the Authentication Test?
Thanks for your help!
Simon Bennetts
Oct 4, 2024, 11:11:33 AM10/4/24
to ZAP User Group
I'd take a step back and follow this guide instead: https://www.zaproxy.org/docs/authentication/
If that doesnt work then let us know where you got to.
Cheers,
Simon
Alex Cantu
Oct 4, 2024, 11:41:05 AM10/4/24
to ZAP User Group
Hi Simon,
Thanks for your reply! I started a fresh ZAP session and have gone through those steps. Here are the results
1. Opened up ZAP Desktop on my Mac with a fresh session (no context, no user, no nothing, it's a clean slate)
2. Ran Authentication Tester
3. Observed the following results:
4. Followed the
Thanks for your reply! I started a fresh ZAP session and have gone through those steps. Here are the results
1. Opened up ZAP Desktop on my Mac with a fresh session (no context, no user, no nothing, it's a clean slate)
2. Ran Authentication Tester
3. Observed the following results:
4. Followed the
5. That section says to contact the ZAP team. The contents of the diagnostics tab is below, with session tokens obfuscated
```
>>>>>
POST https://example0/ListAccounts
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
["token0",[]]
>>>>>
GET https://example1/login
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=UTF-8
set-cookie: XSRF-TOKEN=<replaced-by-me>
set-cookie: mysite_session=<replaced-by-me>
>>>>>
GET https://example3/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2
<<<
HTTP/1.1 200 OK
content-type: font/woff2
>>>>>
GET https://example3/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2
<<<
HTTP/1.1 200 OK
content-type: font/woff2
>>>>>
GET https://example4/ChRDaHJvbWUvMTI5LjAuNjY2OC45MBIgCfOm3gOcNkZZEgUNg6hbPRIFDc5BTHoh2lfFh2T46aY=
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example1/background.mp4
cookie: XSRF-TOKEN="token3"
cookie: mysite_session="token4"
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
>>>>>
GET https://example1/background.mp4
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
>>>>>
POST https://example5/v1:GetModels
content-type: application/x-protobuf
<<<
HTTP/1.1 200 OK
content-type: application/x-protobuf
>>>>>
GET https://example1/background.mp4
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
```
It looks as if the Authentication Tester is not recognizing the authentication form, as if it can't find the username and password fields. Could this be because we are not using a "username" field, but rather calling it "email"? I don't think this is the problem, but I guess it all depends on how the Authentication Tester is parsing through the page, right?
>>>>>
POST https://example0/ListAccounts
content-type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
["token0",[]]
>>>>>
GET https://example1/login
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=UTF-8
set-cookie: XSRF-TOKEN=<replaced-by-me>
set-cookie: mysite_session=<replaced-by-me>
>>>>>
GET https://example3/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2
<<<
HTTP/1.1 200 OK
content-type: font/woff2
>>>>>
GET https://example3/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2
<<<
HTTP/1.1 200 OK
content-type: font/woff2
>>>>>
GET https://example4/ChRDaHJvbWUvMTI5LjAuNjY2OC45MBIgCfOm3gOcNkZZEgUNg6hbPRIFDc5BTHoh2lfFh2T46aY=
<<<
HTTP/1.1 200 OK
content-type: text/plain
>>>>>
GET https://example1/background.mp4
cookie: XSRF-TOKEN="token3"
cookie: mysite_session="token4"
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
>>>>>
GET https://example1/background.mp4
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
>>>>>
POST https://example5/v1:GetModels
content-type: application/x-protobuf
<<<
HTTP/1.1 200 OK
content-type: application/x-protobuf
>>>>>
GET https://example1/background.mp4
<<<
HTTP/1.1 206 Partial Content
content-type: video/mp4
```
It looks as if the Authentication Tester is not recognizing the authentication form, as if it can't find the username and password fields. Could this be because we are not using a "username" field, but rather calling it "email"? I don't think this is the problem, but I guess it all depends on how the Authentication Tester is parsing through the page, right?
Simon Bennetts
Oct 7, 2024, 10:38:43 AM10/7/24
to ZAP User Group
Can you share the HTML fragments (from the browser) for the username and password fileds (or equivalents).
Cheers,
Simon
Alex Cantu
Oct 7, 2024, 5:09:32 PM10/7/24
to ZAP User Group
Here is the form tag on our /login page.
```
<form method="POST" action="https://<my-site>/login">
<input type="hidden" name="_token" value="hh2oTla0PlqtJtrCiejRu5qj4TdfcGS3VLAXn8Gr" autocomplete="off">
<sl-input autocomplete="off" x-data="" x-id="['ui-input']" :id="$id('ui-input')" size="medium" name="email" class="block mt-1 w-full" label="Email" type="email" required="" autofocus="autofocus" :class="{ '-error': $wireErrors['email'] }" :help-text="$wireErrors['email'] || """ @sl-input="$wireErrors.reset('email')" form="" data-required="" data-invalid=""><template shadowrootmode="open"><!---->
<div part="form-control" class=" form-control form-control--medium form-control--has-label ">
<label part="form-control-label" class="form-control__label" for="input" aria-hidden="false">
<slot name="label"><!--?lit$614975758$-->Email</slot>
</label>
<div part="form-control-input" class="form-control-input">
<div part="base" class="input input--medium input--standard input--empty">
<span part="prefix" class="input__prefix">
<slot name="prefix"></slot>
</span>
<input part="input" id="input" class="input__control" aria-describedby="help-text" type="email" title="" name="email" required="" placeholder="" autocomplete="off" autofocus="" spellcheck="true">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
<span part="suffix" class="input__suffix">
<slot name="suffix"></slot>
</span>
</div>
</div>
<div part="form-control-help-text" id="help-text" class="form-control__help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>
</sl-input>
<sl-input autocomplete="off" x-data="" x-id="['ui-input']" :id="$id('ui-input')" size="medium" name="password" class="block mt-1 w-full" label="Password" type="password" required="" password-toggle="password-toggle" :class="{ '-error': $wireErrors['password'] }" :help-text="$wireErrors['password'] || """ @sl-input="$wireErrors.reset('password')" form="" data-required="" data-invalid=""><template shadowrootmode="open"><!---->
<div part="form-control" class=" form-control form-control--medium form-control--has-label ">
<label part="form-control-label" class="form-control__label" for="input" aria-hidden="false">
<slot name="label"><!--?lit$614975758$-->Password</slot>
</label>
<div part="form-control-input" class="form-control-input">
<div part="base" class=" input input--medium input--standard input--empty ">
<span part="prefix" class="input__prefix">
<slot name="prefix"></slot>
</span>
<input part="input" id="input" class="input__control" aria-describedby="help-text" type="password" title="" name="password" required="" placeholder="" autocomplete="off" spellcheck="true">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
<button part="password-toggle-button" class="input__password-toggle" type="button" tabindex="-1" aria-label="Show password">
<!--?lit$614975758$-->
<slot name="hide-password-icon">
<sl-icon name="eye" library="system" aria-hidden="true"><template shadowrootmode="open"><!----><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-eye" viewBox="0 0 16 16" part="svg">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"></path>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"></path>
</svg></template></sl-icon>
</slot>
</button>
<span part="suffix" class="input__suffix">
<slot name="suffix"></slot>
</span>
</div>
</div>
<div part="form-control-help-text" id="help-text" class="form-control__help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>
</sl-input>
<div class="block mt-2">
<sl-checkbox id="remember_me" name="remember" size="medium" form="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<div class=" form-control form-control--medium ">
<label part="base" class=" checkbox checkbox--medium ">
<input class="checkbox__input" type="checkbox" aria-describedby="help-text" title="" name="remember" aria-checked="false">
<span class="checkbox__control" part="control">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</span>
<div part="label" class="checkbox__label">
<slot></slot>
</div>
</label>
<div class="form-control__help-text" id="help-text" part="form-control-help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>Remember me</sl-checkbox>
</div>
<div class="mt-2 flex items-center justify-between">
<sl-button class="-link part-[label]:px-0" href="https://<my-site>/sso-login" wire:navigate="" size="medium" variant="default" !disabled="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<a part="base" class=" button button--default button--medium button--standard button--has-label " title="" href="https://<my-site>/sso-login" rel="noreferrer noopener" aria-disabled="false" tabindex="0">
<slot name="prefix" part="prefix" class="button__prefix"></slot>
<slot part="label" class="button__label"></slot>
<slot name="suffix" part="suffix" class="button__suffix"></slot>
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</a>
</template>
Log In With SSO
</sl-button>
<div class="flex items-center justify-end">
<a class="f-small rounded-md text-gray-600 underline hover:text-gray-900 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2" href="https://<my-site>/forgot-password">
Forgot your password?
</a>
<sl-button class="-primary ms-3" type="submit" size="medium" variant="primary" !disabled="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<button part="base" class=" button button--primary button--medium button--standard button--has-label " type="submit" title="" name="" value="" role="button" aria-disabled="false" tabindex="0">
<slot name="prefix" part="prefix" class="button__prefix"></slot>
<slot part="label" class="button__label"></slot>
<slot name="suffix" part="suffix" class="button__suffix"></slot>
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</button>
</template>
Log in
</sl-button>
</div>
</div>
</form>
```
```
<form method="POST" action="https://<my-site>/login">
<input type="hidden" name="_token" value="hh2oTla0PlqtJtrCiejRu5qj4TdfcGS3VLAXn8Gr" autocomplete="off">
<sl-input autocomplete="off" x-data="" x-id="['ui-input']" :id="$id('ui-input')" size="medium" name="email" class="block mt-1 w-full" label="Email" type="email" required="" autofocus="autofocus" :class="{ '-error': $wireErrors['email'] }" :help-text="$wireErrors['email'] || """ @sl-input="$wireErrors.reset('email')" form="" data-required="" data-invalid=""><template shadowrootmode="open"><!---->
<div part="form-control" class=" form-control form-control--medium form-control--has-label ">
<label part="form-control-label" class="form-control__label" for="input" aria-hidden="false">
<slot name="label"><!--?lit$614975758$-->Email</slot>
</label>
<div part="form-control-input" class="form-control-input">
<div part="base" class="input input--medium input--standard input--empty">
<span part="prefix" class="input__prefix">
<slot name="prefix"></slot>
</span>
<input part="input" id="input" class="input__control" aria-describedby="help-text" type="email" title="" name="email" required="" placeholder="" autocomplete="off" autofocus="" spellcheck="true">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
<span part="suffix" class="input__suffix">
<slot name="suffix"></slot>
</span>
</div>
</div>
<div part="form-control-help-text" id="help-text" class="form-control__help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>
</sl-input>
<sl-input autocomplete="off" x-data="" x-id="['ui-input']" :id="$id('ui-input')" size="medium" name="password" class="block mt-1 w-full" label="Password" type="password" required="" password-toggle="password-toggle" :class="{ '-error': $wireErrors['password'] }" :help-text="$wireErrors['password'] || """ @sl-input="$wireErrors.reset('password')" form="" data-required="" data-invalid=""><template shadowrootmode="open"><!---->
<div part="form-control" class=" form-control form-control--medium form-control--has-label ">
<label part="form-control-label" class="form-control__label" for="input" aria-hidden="false">
<slot name="label"><!--?lit$614975758$-->Password</slot>
</label>
<div part="form-control-input" class="form-control-input">
<div part="base" class=" input input--medium input--standard input--empty ">
<span part="prefix" class="input__prefix">
<slot name="prefix"></slot>
</span>
<input part="input" id="input" class="input__control" aria-describedby="help-text" type="password" title="" name="password" required="" placeholder="" autocomplete="off" spellcheck="true">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
<button part="password-toggle-button" class="input__password-toggle" type="button" tabindex="-1" aria-label="Show password">
<!--?lit$614975758$-->
<slot name="hide-password-icon">
<sl-icon name="eye" library="system" aria-hidden="true"><template shadowrootmode="open"><!----><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-eye" viewBox="0 0 16 16" part="svg">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"></path>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"></path>
</svg></template></sl-icon>
</slot>
</button>
<span part="suffix" class="input__suffix">
<slot name="suffix"></slot>
</span>
</div>
</div>
<div part="form-control-help-text" id="help-text" class="form-control__help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>
</sl-input>
<div class="block mt-2">
<sl-checkbox id="remember_me" name="remember" size="medium" form="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<div class=" form-control form-control--medium ">
<label part="base" class=" checkbox checkbox--medium ">
<input class="checkbox__input" type="checkbox" aria-describedby="help-text" title="" name="remember" aria-checked="false">
<span class="checkbox__control" part="control">
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</span>
<div part="label" class="checkbox__label">
<slot></slot>
</div>
</label>
<div class="form-control__help-text" id="help-text" part="form-control-help-text" aria-hidden="true">
<slot name="help-text"><!--?lit$614975758$--></slot>
</div>
</div>
</template>Remember me</sl-checkbox>
</div>
<div class="mt-2 flex items-center justify-between">
<sl-button class="-link part-[label]:px-0" href="https://<my-site>/sso-login" wire:navigate="" size="medium" variant="default" !disabled="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<a part="base" class=" button button--default button--medium button--standard button--has-label " title="" href="https://<my-site>/sso-login" rel="noreferrer noopener" aria-disabled="false" tabindex="0">
<slot name="prefix" part="prefix" class="button__prefix"></slot>
<slot part="label" class="button__label"></slot>
<slot name="suffix" part="suffix" class="button__suffix"></slot>
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</a>
</template>
Log In With SSO
</sl-button>
<div class="flex items-center justify-end">
<a class="f-small rounded-md text-gray-600 underline hover:text-gray-900 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:ring-offset-2" href="https://<my-site>/forgot-password">
Forgot your password?
</a>
<sl-button class="-primary ms-3" type="submit" size="medium" variant="primary" !disabled="" data-optional="" data-valid=""><template shadowrootmode="open"><!---->
<button part="base" class=" button button--primary button--medium button--standard button--has-label " type="submit" title="" name="" value="" role="button" aria-disabled="false" tabindex="0">
<slot name="prefix" part="prefix" class="button__prefix"></slot>
<slot part="label" class="button__label"></slot>
<slot name="suffix" part="suffix" class="button__suffix"></slot>
<!--?lit$614975758$-->
<!--?lit$614975758$-->
</button>
</template>
Log in
</sl-button>
</div>
</div>
</form>
```
Simon Bennetts
Oct 24, 2024, 11:28:20 AM10/24/24
to ZAP User Group
Sorry for the delayed response.
The code looks for both "text" and "email" input types: https://github.com/zaproxy/zap-extensions/blob/main/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java#L143-L151
So I'm a bit confused as to why its not working in your case.
Can you turn on debug logging?
A standalone publicly available example would be great, but I can understand why that could be tricky.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages