Pass username/password to Zest Script from ZAP
228 views
Skip to first unread message
ro...@cloverandgrape.com
Aug 24, 2018, 10:20:32 AM8/24/18
to OWASP ZAP User Group
Is it possible to pass a username and password from a context to a Zest script?
I've recorded a zest script manually, and when I run it, it logs in successfully, but it has the username and password hardcoded right in it.
I'm using a python script to call the APIs, which I use to setup a context and user with credentials. I'd like the Zest script to use the user/credentials from the context so they don't have to be hardcoded.
Is this possible?
Thanks!
Robb
thc...@gmail.com
Aug 24, 2018, 11:24:29 AM8/24/18
to zaprox...@googlegroups.com
Hi.
Yes, the username and password are provided to the auth Zest script
through the variables Username and Password, respectively.
They can be accessed in the script with {{ }}, e.g. {{Username}}
Best regards.
Yes, the username and password are provided to the auth Zest script
through the variables Username and Password, respectively.
They can be accessed in the script with {{ }}, e.g. {{Username}}
Best regards.
Simon Bennetts
Aug 24, 2018, 11:29:46 AM8/24/18
to OWASP ZAP User Group
For reference, if you right click on any Zest text field there will be a menu option for inserting variables in the right format, and it will include all of the variables that the script has access to.
ro...@cloverandgrape.com
Aug 24, 2018, 2:02:37 PM8/24/18
to OWASP ZAP User Group
Thanks, when I right click to put a variable, I only see things like request.header and response.header. I don't see any username or password options?
I swapped the hardcoded username/password for {{Username}} and {{Password}}, but when i look at the history, I see username={{Username}}&password={{Password}} is literally what's being sent.
I feel like there must be another key step to getting variable substitution to work that I'm missing?
Sorry if this is a basic question, I'm having trouble finding much in terms of documentation on this...
thc...@gmail.com
Aug 24, 2018, 3:55:24 PM8/24/18
to zaprox...@googlegroups.com
Since it was record it might not have the default auth variables, e.g.:
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {
"Username": "",
"Password": ""
},
"elementType": "ZestVariables"
although that would not prevent the usage in the script, just that it
would not suggest them.
The replacement happens automatically if the variables are present,
which should if configured in the context as an authentication script.
How is the user being set up? Are user's credentials being set with
Username and Password fields?
Best regards.
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {
"Username": "",
"Password": ""
},
"elementType": "ZestVariables"
although that would not prevent the usage in the script, just that it
would not suggest them.
The replacement happens automatically if the variables are present,
which should if configured in the context as an authentication script.
How is the user being set up? Are user's credentials being set with
Username and Password fields?
Best regards.
ro...@cloverandgrape.com
Aug 24, 2018, 6:56:08 PM8/24/18
to OWASP ZAP User Group
Oh duh... case matters. Username != username.
It's working now! Thanks for replying.
Reply all
Reply to author
Forward
0 new messages