ZAP AJAX Spidering with Login details
501 views
Skip to first unread message
AlanT
Oct 19, 2021, 12:12:02 AM10/19/21
to OWASP ZAP User Group
Hi! I understand from your tutorial videos that I need to do a Spider first to explore the URL links and do an AJAX spider to explore modern web applications with Javascript. After this, I can do a active scan.
I have already set up a context with Form-based Authentication with the username parameter and password parameter selected correctly. I have also set the Verification Strategy and regex pattern.
I have also setup the users with the username and password and set the session management to Cookie-based Session management and clicked on the Forced User Mode enabled button.
While doing an Active Scan, I can see from the output which says Authentication successful and in the History tab, I can see from the Response is logged in successfully.
The problem is: Zap scans the login page but after it logs in, it does not scan the URL links in that logged in page.
I would suspect the AJAX spidering is not done properly. I think it is because the URL links in the logged in page are all AJAX links. Eg: Manual Charges link is a Javascript call.
How do I get AJAX spider or active scan to click on those links in the Manual Charges?
Please help and ask me if I did not provide enough details.
Thanks in advance.
Simon Bennetts
Oct 19, 2021, 4:16:34 AM10/19/21
to OWASP ZAP User Group
Modern web applications can be a real pain ;)
Try launching the Ajax Spider non-headless - this will allow you to see what its doing.
When the browser launches does it appear to be logged in?
Authentication is handled by ZAP, but this means that if your app maintains the authentication state in the browser then you will need to configure ZAP to understand that too.
I cover that in this video: https://play.vidyard.com/igf3A8UdZ6QAGiFjEpLH86
Cheers,
Simon
AlanT
Oct 19, 2021, 4:56:46 AM10/19/21
to OWASP ZAP User Group
Hi Simon,
Thank you for your answer. I have run it in non-headless mode but it does not login in.
How do I configure it to login for AJAX spider? I have set up the user here in this screen
I have found the JSESSIONID tokens here. Does this mean it is logged in?
Please advice. Thanks.
Simon Bennetts
Oct 19, 2021, 5:09:56 AM10/19/21
to OWASP ZAP User Group
Is it logged in? Thats very difficult for me to say.
As I mentioned before, if your app maintains the authentication state in the browser then you will need to configure ZAP to understand that too.
Have a look at the video I linked to last time, that will hopefully explain things.
Reply all
Reply to author
Forward
0 new messages