Errors Using ZAP Jenkins Plugin with Script Auth.

[davi...@semanticbits.com]

I have searched and searched and troubleshooted like crazy and have not been able to solve this issue.

ZAP 2.7.0 and Jenkins Plugin 1.1.0

I am attempting to use script-based authentication. I used ZAP on my machine to record and generate a .zst file that works perfectly in the GUI. I then copied it over to my jenkins box, put it in /home/.ZAP/scripts/scripts/authentication/auth.zst, and it showed right up in the drop-down during the build configuration. Given that the username and password parameters were set in the script, there was no need to specify any variables in the script itself.

However, when I go to run the build, I was receiving a 'script not found' type error, which was fixed by adding a 'Run Configuration' item that added "-script /home/.ZAP/scripts/scripts/authentication/auth.zst" to the launch command. That fixed the script not being found error.

Now I am getting this error: Unable to load Script Based Authentication method. The script auth.zst does not properly implement the Authentication Script interface.

I have tried changing out parameters for variables and passing them as script parameters, I've re-recorded a new script file in the ZAP GUI, I've stripped out all unnecessary data in the .zst file, but to no avail. Any idea how an authentication script generated by the ZAP GUI is not properly implementing the Authentication Script Interface?

Thanks,
David

[thc...@gmail.com]

Hi.

The -script command line argument [1] is expected to be used with stand
alone scripts not authentication, you need to add the script as
authentication to be properly executed. [2]

If you already have the ZAP configurations (config.xml) from other home
directory (e.g. when setup with GUI) you can copy them to the home used
by Jenkins (the actual one should be in the log/output of the job).


[1] https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline
[2] https://github.com/zaproxy/zaproxy/wiki/FAQscriptCmdLine

Best regards.

[davi...@semanticbits.com]

So the script was recorded in ZAP GUI on another system and then transferred over using scp, at which point I used chown and chmod to give jenkins:jenkins the right permissions. When I cat the script, it is indicated as 'Stand Alone', but it falls within the authentication bucket when viewed in the ZAP GUI. Is that the correct behavior?

If -script is expected to be used with stand alone scripts (which doesnt include authentication scripts that were created in the GUI), then how do I get the plugin to recognize the authentication script? If I just select the zst file in the dropdown under script-authentication in Jenkins, I get errors saying the script isnt found. Why can't it find the script even though it shows up in the dropdown and is in the correct  /home/.ZAP/scripts/scripts/authentication directory?

[thc...@gmail.com]

Yes, that's an "internal" type of Zest (which indicates that the script
can be run as is), it's not directly related to ZAP script types.


You need to add it as an authentication script (as indicated in the FAQ
or by copying/using the original config.xml file, which is where ZAP
saves the type of each script).

Worth noting that it's not enough with just copying the script to the
directory it also needs to be added to the configuration (as mentioned
earlier). The Jenkins plugin just checks the directory, it also depends
how Jenkins is being run (e.g. master/slave when configuring the job ZAP
plugin will check one directory but then ZAP might use a different one).

Best regards.

[davi...@semanticbits.com]

So the zap install dir is /usr/share/owasp-zap which is correctly setup as an environmental variable in jenkins

The ZAP Home dir is /home/.ZAP

So here is what the scripts portion of config.xml in /home/.ZAP/config.xml looks like:

<script>

<scripts>

<name>"authtest.zst"</name>

<engine>"Mozilla Zest"</engine>

<enabled>false</enabled>

<file>"/home/.ZAP/scripts/scripts/authentication/authtest.zst"</file>

<type>"authentication"</type>

</scripts>

</script>

From Jenkins, everything initializes okay, but I get 'Unable to find script while loading Script Based Authentication Method for name: authtest.zst"

Here is the contents of authtest.zst:

{

  "about": "This is a Zest script. For more details about Zest visit https://developer.mozilla.org/en-US/docs/Zest",

  "zestVersion": "0.8",

  "title": "authtest.zst",

  "description": "",

  "prefix": "",

  "type": "authentication",

  "parameters": {

    "tokenStart": "{{",

    "tokenEnd": "}}",

    "tokens": {

  "LoginURL": "",

  "Username": "",

  "Password": ""

},

    "elementType": "ZestVariables"

  },

  "statements": [

    {

      "url": {{LoginURL}}",

      "data": "{\"password\":{{Password}},\"username\":{{Username}}}",

      "method": "POST",

      "headers": "Content-Type: application/json;charset\u003dutf-8\r\nwithCredentials: true\r\nContent-Length: 45\r\nDNT: 1\r\n",

      "assertions": [],

      "followRedirects": false,

      "cookies": [],

      "index": 1,

      "enabled": true,

      "elementType": "ZestRequest"

    }

  ],

  "authentication": [],

  "index": 0,

  "enabled": true,

  "elementType": "ZestScript"

}

ZAPROXY_HOME = /usr/share/owasp-zap/

Installation Method: System Installed ZAP Installation Directory which is set to ZAPROXY_HOME

ZAP Home Directory (which I assume is ZAP Settings) is set to /home/.ZAP

I checked the authentication box, selected Script-based Authentication, and authtest.zst shows right up in the dropdown, so I selected it and passed in the variables for the script.

[thc...@gmail.com]

Are the values really quoted in the config.xml file? They shouldn't (and
ZAP should be logging an error/warn mentioning that, e.g. it failed to
find the script or the type).

Otherwise the setup looks correct.

Best regards.

[davi...@semanticbits.com]

Ok, removing the quotes allowed the plugin to find the script.

But now I am getting the following error:

"Unable to load Script Based Authentication method. The script authtest.zst does not properly implement the Authentication Script interface."

[thc...@gmail.com]

It seems it's missing a double quote before {{LoginURL}} in the script?

Best regards.

[davi...@semanticbits.com]

So I put the double quote back in and then put escaped double quotes around the {{Username}} and {{Password}} parameters too, and I am still  getting the error. 

So here is what I have now:

{

  "about": "This is a Zest script. For more details about Zest visit https://developer.mozilla.org/en-US/docs/Zest",

  "zestVersion": "0.8",

  "title": "authtest.zst",

  "description": "",

  "prefix": "",

  "type": "Authentication",

I started poking around the authentication template and it uses "type": "StandAlone" - should I be using that type? I also noticed that my zest script has two "enabled": true statements in it. Are those necessary?

[davi...@semanticbits.com]

So I took out the parameters in authtest.zst and hardcoded in the values and it works.

[davi...@semanticbits.com]

So the script is now found and gets loaded ok, but I am now getting an error saying that authentication failed for the user. If I take the same data from the zest script and put it in a curl command, I get a JWT back in my response. This has me wondering: does zap or the jenkins plugin work properly with JWTs? Does the application and plugin contain the necessary logic to receive a JWT and send it in an authorization header in each subsequent request? Am I better scripting this in python with the zap api at this point?

[thc...@gmail.com]

ZAP is able to resend the Authorization header for NTLM, Basic, and
Digest, others (like bearer) are not yet supported. You would have to
inject the header "manually" (e.g. using a HTTP Sender script [1]). The
authentication script refreshes the token and the HTTP Sender injects it.

You could use global variables [2] to share the values between the
scripts, but those are not supported by Zest (yet), so the
authentication script would have to be in another language (JavaScript,
Jython...).

[1] https://groups.google.com/d/topic/zaproxy-users/wUI7rgilvZw/discussion
[2]
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts#global-variables

Best regards.

[Naufal Arkaan]

What parameters & harcoded values you took out? can you explain? My condition is same as you posting... i already change type of script from "Stand-Alone" to "Authentication" but load error still there.

Thanks.