Ajaxspider Automation Framework authentication problems

78 views
Skip to first unread message

jp...@gmail.com

unread,
Jun 28, 2022, 12:40:57 PMJun 28
to OWASP ZAP User Group
Hi,

After having successful results scanning WebGoat with the Docker + Webswing version, I've been trying to implement a scan using the Automation Framework, but I am having trouble getting through the authentication with the Ajaxspider.

In the standard GUI I could authenticate my Ajaxspider scans by configuring form-based authentication defined in the context and using the force user mode option. In the Automation Framework version I can't do same thing, if I pass users to the Ajax crawler it hangs on and throws an error.

Checking the logs and discussions, I find that the error is the same as this one posted earlier. I also don't know what's up with the URIs...
https://groups.google.com/g/zaproxy-users/c/JzI61cfYi8Q/m/eY0eEo_5AgAJ
I also attached the yaml automation file.


Screenshot from 2022-06-28 17-09-15.pngScreenshot from 2022-06-28 17-27-25.png

Many thanks, :)
João

ajax-spider-error.txt

jp...@gmail.com

unread,
Jun 28, 2022, 12:43:59 PMJun 28
to OWASP ZAP User Group
---
env:
  contexts:
  - name: "Default Context"
    urls:
    - "http://172.17.0.2:8080/WebGoat/"
    includePaths:
    - "http://172.17.0.2:8080/WebGoat/.*"
    excludePaths: []
    authentication:
      method: "form"
      parameters:
        loginPageUrl: "http://172.17.0.2:8080/WebGoat/login"
        loginRequestUrl: "http://172.17.0.2:8080/WebGoat/login"
        loginRequestBody: "username={%username%}&password={%password%}"
      verification:
        method: "response"
        pollFrequency: 60
        pollUnits: "requests"
        pollUrl: ""
        pollPostData: ""
    sessionManagement:
      method: "cookie"
      parameters: {}
    users:
    - name: "testing"
      credentials:
        password: "testing"
        username: "testing"
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters:
    updateAddOns: false
  install: []
  uninstall: []
  name: "addOns"
  type: "addOns"
- parameters:
    scanOnlyInScope: true
    enableTags: false
  rules: []
  name: "passiveScan-config"
  type: "passiveScan-config"
- parameters:
    context: "Default Context"
    user: "testing"
    url: ""
    maxDuration: 0
    maxDepth: 0
    maxChildren: 0
  tests:
  - onFail: "INFO"
    statistic: "stats.auth.success"
    site: "http://172.17.0.2:8080"
    operator: ">="
    value: 1
    type: "stats"
    name: "at least 1 auth"
  name: "spider"
  type: "spider"
- parameters:
    context: "Default Context"
    user: "testing"
    url: ""
    maxDuration: 0
    maxCrawlDepth: 0
    numberOfBrowsers: 0
  tests:
  - onFail: "INFO"
    statistic: "stats.auth.success"
    site: "http://172.17.0.3:8080"
    operator: ">="
    value: 1
    type: "stats"
    name: "at least 1 auth"
  name: "spiderAjax"
  type: "spiderAjax"
- parameters: {}
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters:
    template: "risk-confidence-html"
    reportDir: "/home/zap"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
  name: "report"
  type: "report"

jp...@gmail.com

unread,
Jun 29, 2022, 11:05:22 AMJun 29
to OWASP ZAP User Group
Hi,

After doing some more testing I can get past the URI problem, apparently I had to be more specific with the URL when using the Ajaxspider and specify the number of browser instances.
Still, I am stuck with nullPointerException errors when POST authentication is attempted. The yaml configuration is roughly the same as the one I posted earlier with the previously mentioned changes.

Thanks,
João
ajax-spider-nullPointerException.txt

Simon Bennetts

unread,
Jul 1, 2022, 4:45:23 AMJul 1
to OWASP ZAP User Group
Hi João,

Could you post your latest yaml file and I'll give it a go asap.

Cheers,

Simon

jp...@gmail.com

unread,
Jul 4, 2022, 9:49:39 AMJul 4
to OWASP ZAP User Group
Hi Simon,

I was able to get past the nullPointerException problem by changing the Docker image to the stable one. I forgot to mention that I had tried using other release images (weekly, bare, ...) to get past that error. I am still not sure if the problem was related to that, but it ended up working! Maybe something was wrong with the Docker network or the WebGoat server, I also reset those.
Right now, things seem to be working as expected.

I'll also post the YAML file that I was using. 

Thanks for the reply,
João
zap.yml

thc...@gmail.com

unread,
Jul 4, 2022, 10:09:22 AMJul 4
to zaprox...@googlegroups.com
That exception will be fixed in the next release of those images (should
be already fixed in the live image).

Best regards.
Reply all
Reply to author
Forward
0 new messages