Unable to load Script Based Authentication method. The script does not properly implement the Authentication Script interface.

[Andrew Perry]

Hi There,

I am having trouble getting the script based authentication working within ZAP Docker environment.

I modified the GetsWithRedirectThenPost.js and renamed it and got it working with ZAP UI. I then exported the context, which saved the Authentication settings specifically for the script and saved the script which was included in the command line and loaded successfully as per below.

However, I don't understand what the error "does not properly implement the Authentication Script interface." means and how to fix it.

I did load an extra class in the UI, to help with adding hidden form Input fields to the POST request, would that cause a problem or need extra configuration in the container?

var Source = Java.type('net.htmlparser.jericho.Source');

6036 [ZAP-IO-Server-1-1] INFO  org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded script:GetsWithRedirectThenPostCustom.js

6038 [ZAP-IO-Server-1-1] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to load Script Based Authentication method. The script GetsWithRedirectThenPostCustom.js does not properly implement the Authentication Script interface.

6098 [ZAP-IO-Server-1-1] ERROR org.zaproxy.zap.extension.api.ContextAPI - null

java.lang.NullPointerException: null

....

I have the following additional options configured

-z "-config script.scripts.name=GetsWithRedirectThenPostCustom.js
-config script.scripts.engine=OracleNashorn
-config script.scripts.type=authentication
-config script.scripts.enabled=true
-config script.scripts.file=/zap/wrk/GetsWithRedirectThenPostCustom.js"

Is there any other settings I need?

Thanks,
Andrew.

[kingthorin+owaspzap]

Importing other Java types is totally fine. " does not properly implement the Authentication Script interface. " basically means you didn't follow the template and implement all the expected methods in your script.

Also you should be aware that Nashorn is not available in Java versions newer than Java 11. (So you'd need to use the GraalVM JS add-on)

[Andrew Perry]

This is an out of the box script, with minimal modifications, so I am not sure what you mean by

"basically means you didn't follow the template and implement all the expected methods in your script."

Can you be more specific?

The Java version in the container is 

:/zap$ java -version
openjdk version "11.0.16" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Debian-1deb11u1)

The script is running fine within ZAP UI, so what would be different or required to run it in the container.

Is the GraalVM JS add-on included in the container by default, or do you need to add that as a startup parameter?

Thanks,

Andrew.

[Andrew Perry]

OK, looks like I got it working.

Changed the script type to Graal in the UI and retested with the same script.

Then updated the -config script.scripts.engine=Graal.js when running it in the container.

The documentation could be updated to reflect that Nashorn engine is not available in the container, on this page, although it is still working in the UI.
https://www.zaproxy.org/docs/desktop/addons/script-console/

• ECMAScript / JavaScript (using Nashorn engine, included by default)

Also, its not immediately clear what the script engine parameter should be set to, had to guess that. Maybe a page or instructions on how to work that out also would be good.

Appreciate the help, thanks!

[thc...@gmail.com]

Nashorn is still available in the Docker images, they are using Java 11.

Best regards.

On 24/01/2023 00:58, 'Andrew Perry' via OWASP ZAP User Group wrote:
> OK, looks like I got it working.
>
> Changed the script type to Graal in the UI and retested with the same
> script.
>

> Then updated the *-config script.scripts.engine=Graal.js* when running it

> in the container.
>
> The documentation could be updated to reflect that Nashorn engine is not
> available in the container, on this page, although it is still working in
> the UI.
> https://www.zaproxy.org/docs/desktop/addons/script-console/
>

> - ECMAScript / JavaScript (using Nashorn engine
> <https://docs.oracle.com/javase/8/docs/technotes/guides/scripting/nashorn/>,

> included by default)
>
> Also, its not immediately clear what the script engine parameter should be
> set to, had to guess that. Maybe a page or instructions on how to work that
> out also would be good.
>
> Appreciate the help, thanks!
>
> On Tuesday, 24 January 2023 at 10:35:59 am UTC+11 Andrew Perry wrote:
>
>> This is an out of the box script, with minimal modifications, so I am not
>> sure what you mean by

>> *"basically means you didn't follow the template and implement all the
>> expected methods in your script."*

>> However, I don't understand what the error *"**does not properly
>> implement the Authentication Script interface."* means and how to fix it.

>>
>> I did load an extra class in the UI, to help with adding hidden form Input
>> fields to the POST request, would that cause a problem or need extra
>> configuration in the container?

>> *var Source = Java.type('net.htmlparser.jericho.Source');*

>>
>> 6036 [ZAP-IO-Server-1-1] INFO
>> org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Loaded
>> script:GetsWithRedirectThenPostCustom.js
>>
>> 6038 [ZAP-IO-Server-1-1] ERROR
>> org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable
>> to load Script Based Authentication method. The script
>> GetsWithRedirectThenPostCustom.js does not properly implement the
>> Authentication Script interface.
>>
>> 6098 [ZAP-IO-Server-1-1] ERROR org.zaproxy.zap.extension.api.ContextAPI -
>> null
>>
>> java.lang.NullPointerException: null
>>
>> ....
>>
>> I have the following additional options configured
>>
>>
>>
>>
>>

>> *-z "-config script.scripts.name
>> <http://script.scripts.name>=GetsWithRedirectThenPostCustom.js -config

>> script.scripts.engine=OracleNashorn -config
>> script.scripts.type=authentication -config script.scripts.enabled=true

>> -config script.scripts.file=/zap/wrk/GetsWithRedirectThenPostCustom.js"*
>>
>> *Is there any other settings I need?*
>>
>> Thanks,
>> Andrew.
>>
>

[Michael Endrizzi]

wow...I spent weeks on this, and this was the magic for me. thanks.

 -config script.scripts.engine=Graal.js