Ajaxspider Automation Framework authentication problems
130 views
Skip to first unread message
jp...@gmail.com
Jun 28, 2022, 12:40:57 PM6/28/22
to OWASP ZAP User Group
Hi,
After having successful results scanning WebGoat with the Docker + Webswing version, I've been trying to implement a scan using the Automation Framework, but I am having trouble getting through the authentication with the Ajaxspider.
In the standard GUI I could authenticate my Ajaxspider scans by configuring form-based authentication defined in the context and using the force user mode option. In the Automation Framework version I can't do same thing, if I pass users to the Ajax crawler it hangs on and throws an error.
Checking the logs and discussions, I find that the error is the same as this one posted earlier. I also don't know what's up with the URIs...
https://groups.google.com/g/zaproxy-users/c/JzI61cfYi8Q/m/eY0eEo_5AgAJ
I also attached the yaml automation file.
Many thanks, :)
João
After having successful results scanning WebGoat with the Docker + Webswing version, I've been trying to implement a scan using the Automation Framework, but I am having trouble getting through the authentication with the Ajaxspider.
In the standard GUI I could authenticate my Ajaxspider scans by configuring form-based authentication defined in the context and using the force user mode option. In the Automation Framework version I can't do same thing, if I pass users to the Ajax crawler it hangs on and throws an error.
Checking the logs and discussions, I find that the error is the same as this one posted earlier. I also don't know what's up with the URIs...
https://groups.google.com/g/zaproxy-users/c/JzI61cfYi8Q/m/eY0eEo_5AgAJ
I also attached the yaml automation file.
Many thanks, :)
João
jp...@gmail.com
Jun 28, 2022, 12:43:59 PM6/28/22
to OWASP ZAP User Group
---
env:
contexts:
- name: "Default Context"
urls:
- "http://172.17.0.2:8080/WebGoat/"
includePaths:
- "http://172.17.0.2:8080/WebGoat/.*"
excludePaths: []
authentication:
method: "form"
parameters:
loginPageUrl: "http://172.17.0.2:8080/WebGoat/login"
loginRequestUrl: "http://172.17.0.2:8080/WebGoat/login"
loginRequestBody: "username={%username%}&password={%password%}"
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "cookie"
parameters: {}
users:
- name: "testing"
credentials:
password: "testing"
username: "testing"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters:
updateAddOns: false
install: []
uninstall: []
name: "addOns"
type: "addOns"
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context: "Default Context"
user: "testing"
url: ""
maxDuration: 0
maxDepth: 0
maxChildren: 0
tests:
- onFail: "INFO"
statistic: "stats.auth.success"
site: "http://172.17.0.2:8080"
operator: ">="
value: 1
type: "stats"
name: "at least 1 auth"
name: "spider"
type: "spider"
- parameters:
context: "Default Context"
user: "testing"
url: ""
maxDuration: 0
maxCrawlDepth: 0
numberOfBrowsers: 0
tests:
- onFail: "INFO"
statistic: "stats.auth.success"
site: "http://172.17.0.3:8080"
operator: ">="
value: 1
type: "stats"
name: "at least 1 auth"
name: "spiderAjax"
type: "spiderAjax"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
template: "risk-confidence-html"
reportDir: "/home/zap"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
name: "report"
type: "report"
env:
contexts:
- name: "Default Context"
urls:
- "http://172.17.0.2:8080/WebGoat/"
includePaths:
- "http://172.17.0.2:8080/WebGoat/.*"
excludePaths: []
authentication:
method: "form"
parameters:
loginPageUrl: "http://172.17.0.2:8080/WebGoat/login"
loginRequestUrl: "http://172.17.0.2:8080/WebGoat/login"
loginRequestBody: "username={%username%}&password={%password%}"
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "cookie"
parameters: {}
users:
- name: "testing"
credentials:
password: "testing"
username: "testing"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters:
updateAddOns: false
install: []
uninstall: []
name: "addOns"
type: "addOns"
- parameters:
scanOnlyInScope: true
enableTags: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context: "Default Context"
user: "testing"
url: ""
maxDuration: 0
maxDepth: 0
maxChildren: 0
tests:
- onFail: "INFO"
statistic: "stats.auth.success"
site: "http://172.17.0.2:8080"
operator: ">="
value: 1
type: "stats"
name: "at least 1 auth"
name: "spider"
type: "spider"
- parameters:
context: "Default Context"
user: "testing"
url: ""
maxDuration: 0
maxCrawlDepth: 0
numberOfBrowsers: 0
tests:
- onFail: "INFO"
statistic: "stats.auth.success"
site: "http://172.17.0.3:8080"
operator: ">="
value: 1
type: "stats"
name: "at least 1 auth"
name: "spiderAjax"
type: "spiderAjax"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
template: "risk-confidence-html"
reportDir: "/home/zap"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
name: "report"
type: "report"
jp...@gmail.com
Jun 29, 2022, 11:05:22 AM6/29/22
to OWASP ZAP User Group
Hi,
After doing some more testing I can get past the URI problem, apparently I had to be more specific with the URL when using the Ajaxspider and specify the number of browser instances.
Still, I am stuck with nullPointerException errors when POST authentication is attempted. The yaml configuration is roughly the same as the one I posted earlier with the previously mentioned changes.
Thanks,
João
After doing some more testing I can get past the URI problem, apparently I had to be more specific with the URL when using the Ajaxspider and specify the number of browser instances.
Still, I am stuck with nullPointerException errors when POST authentication is attempted. The yaml configuration is roughly the same as the one I posted earlier with the previously mentioned changes.
Thanks,
João
Simon Bennetts
Jul 1, 2022, 4:45:23 AM7/1/22
to OWASP ZAP User Group
Hi João,
Could you post your latest yaml file and I'll give it a go asap.
Cheers,
Simon
jp...@gmail.com
Jul 4, 2022, 9:49:39 AM7/4/22
to OWASP ZAP User Group
Hi Simon,
I was able to get past the nullPointerException problem by changing the Docker image to the stable one. I forgot to mention that I had tried using other release images (weekly, bare, ...) to get past that error. I am still not sure if the problem was related to that, but it ended up working! Maybe something was wrong with the Docker network or the WebGoat server, I also reset those.
Right now, things seem to be working as expected.
I'll also post the YAML file that I was using.
Thanks for the reply,
João
I was able to get past the nullPointerException problem by changing the Docker image to the stable one. I forgot to mention that I had tried using other release images (weekly, bare, ...) to get past that error. I am still not sure if the problem was related to that, but it ended up working! Maybe something was wrong with the Docker network or the WebGoat server, I also reset those.
Right now, things seem to be working as expected.
I'll also post the YAML file that I was using.
Thanks for the reply,
João
thc...@gmail.com
Jul 4, 2022, 10:09:22 AM7/4/22
to zaprox...@googlegroups.com
That exception will be fixed in the next release of those images (should
be already fixed in the live image).
Best regards.
be already fixed in the live image).
Best regards.
Reply all
Reply to author
Forward
0 new messages