Automated authentication with multipart form data
154 views
Skip to first unread message
Sama
Mar 12, 2024, 6:03:51 AM3/12/24
to ZAP User Group
Hi,
I want to automate the authentication in my CLI. So, I used GUI to create the context where I employed authentication tester. Then, I ran it in a container. However, with the exported context, it seems that it's not logging in (or maybe i don't know how to verify) .
Also, in the case of multipart form data, it didn't provide options in the parameters of authentication, and I'm unsure how to set parameters considering the form of the request.
-----------------------------263525584
Content-Disposition: form-data; name="login"
test
-----------------------------263525584
Content-Disposition: form-data; name="password"
test123
-----------------------------263525584--
Content-Disposition: form-data; name="login"
test
-----------------------------263525584
Content-Disposition: form-data; name="password"
test123
-----------------------------263525584--
Can someone help me in this ; thanks in advance
Simon Bennetts
Mar 12, 2024, 11:16:37 AM3/12/24
to ZAP User Group
The authentication tester uses Browser Based Authentication, so the browser logs in rather than directly specifying details like muitl-art form data.
This is the recommended option.
You can add Statistics Jobs Tests to check everything is working as you expect: https://www.zaproxy.org/docs/desktop/addons/automation-framework/test-stats/
Cheers,
Simon
Sama
Mar 13, 2024, 4:59:51 AM3/13/24
to ZAP User Group
Thank you for your response.
Could you please help me understand why the authentication browser approach is recommended over launching the test and configuring the context manually?
However, I did the authentication using Browser-Based Authentication, then exported the context and launched it in CLI, added the states as well, and got this result.
[{'stats.auth.browser.foundfields': 3, 'stats.auth.browser.passed': 3, 'stats.auth.failure': 3, 'stats.auth.sessiontoken.SESSION': 61, 'stats.auth.state.loggedout': 10}]
Does this mean that the authentication was successful? As In CLI, I didn't find the URL that should appear after the login page.
Sama
Mar 13, 2024, 5:37:12 AM3/13/24
to ZAP User Group
And I have another question: As I want to automate this scan in a job in my CI/CD pipeline in GitLab. However, the problem is that the URL for the login application changes every time, and the URL I retrieve it from is in another job.
Is it possible since the URL in the context file I export contains the value that changes in my case every new pipeline ?
Is it possible since the URL in the context file I export contains the value that changes in my case every new pipeline ?
Thanks in advance .
Simon Bennetts
Mar 14, 2024, 8:37:16 AM3/14/24
to ZAP User Group
Was authentication successful?
Difficult for us to say as we know nothing about your app, but it doesnt look too hopeful.
The stats are described on https://www.zaproxy.org/docs/internal-statistics/
So stats.auth.state.loggedout=10 means that 10 messages included the logged out indicator.
If you are not seeing the URLs you expect and are getting lots of logged out indicators then I think its safe to assume its not working correctly.
Debugging auth problems is hard, you may need to start looking at the requests and responses in detail.
Re the changing login URL - you will need to inject that into the context file you use.
Cheers,
Simon
Sama
Mar 14, 2024, 10:14:13 AM3/14/24
to ZAP User Group
I think now authentication is successful, as I found in the generated report that there is a post-session in the Session Management Response Identified. Is this enough?
Simon Bennetts
Mar 14, 2024, 12:24:30 PM3/14/24
to ZAP User Group
No, that just means that ZAP identified a session management response.
Reply all
Reply to author
Forward
0 new messages