Login Page "OUT OF SCOPE"

[Florian Sandro Völkl]

Hello,

I am rather new to working with your wonderful ZAProxy and would like to thank you for your hard work first.

Right now I do not get it to work tha way I need.

I have a few applications that redirect to a central authentication application which uses another server with a diffrent url (different site). The auth-app uses form-based authentification.

If you can authenticate successfully the auth-app redirects you back to the specific page of your original application you came from (the info where to return to is passed to the auth-app as a url parameter).

I can't change the authentification-process, because it is not in my hands and is well established for all the apps of the customer.

This leads to a few problems:

• The "Login Form Target URL" looks different depending on the page of the original app that you came from (changing parameter).
  Does the "Login Form Target URL"-field in the ZAProxy-UI support regex?
• Because of this redirection to another site it seems to be impossible to spider the original-site with a user. Because every time the app tries to authenticate after hitting the "Logout" link for the first time it is "OUT OF SCOPE".
  Am I missing something?
  Is there a good workaround?
  It seems "Spidering: Getting Out-of-scope Domains #1036" would at least solve part of the problem.

Regards,

Florian

[kingthorin+owaspzap]

Is the auth app designated as part of your context?

[Florian Sandro Völkl]

Yes. It is.

Regards,

Florian

2015-10-19 19:31 GMT+02:00 kingthorin+owaspzap <kingt...@gmail.com>:

Is the auth app designated as part of your context?

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/rU3ZLrHX0wQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.