Trouble implementing JSON Based Authentication in API with Juice Shop

335 views
Skip to first unread message

PH

unread,
Feb 18, 2021, 7:37:31 AM2/18/21
to OWASP ZAP User Group

Hi, i am currently trying to implement JSON Based Authentication following the documentation here - https://www.zaproxy.org/docs/api/#json-based-authentication

So my code looks like the following:

def set_include_in_context():
include_url = 'http://demo.owasp-juice.shop.*'
zap.context.include_in_context(context_name, include_url)
print('Configured include and exclude regex(s) in context')

def set_logged_in_indicator():
logged_in_regex = '\Q<a href="logout.php">Logout</a>\E'
logged_out_regex = '(?:Location: [./]*login\.php)|(?:\Q<form action="login.php" method="post">\E)'

zap.authentication.set_logged_in_indicator(context_id, logged_in_regex)
zap.authentication.set_logged_out_indicator(context_id, logged_out_regex)
print('Configured logged in indicator regex: ')

def set_json_based_auth():
login_url = "http://demo.owasp-juice.shop/rest/user/login"
login_request_data = 'email=adm...@example.com&password=12345'

json_based_config = 'loginUrl=' + urllib.parse.quote(login_url) + '&loginRequestData=' + urllib.parse.quote(
login_request_data)
zap.authentication.set_authentication_method(context_id, 'jsonBasedAuthentication', json_based_config)
print('Configured form based authentication')

def set_user_auth_config():
user = 'admin1'
username = 'adm...@example.com'
password = '12345'

user_id = zap.users.new_user(context_id, user)
user_auth_config = 'username=' + urllib.parse.quote(username) + '&password=' + urllib.parse.quote(password)
zap.users.set_authentication_credentials(context_id, user_id, user_auth_config)

def add_script():
script_name = 'maintain-jwt.js'
script_type = 'httpsender'
file_name = '/zap/scripts/templates/httpsender/maintain-jwt.js'
script_engine = 'Oracle Nashorn'
zap.script.remove(scriptname=script_name, apikey=args.apikey)
zap.script.load(script_name, script_type, script_engine, file_name)
zap.script.enable(scriptname=script_name, apikey=args.apikey)

My code then goes to run a zap.spider.scan() and a zap.ascan.scan()
and uploads the results to DefectDojo.

My question is how can I tell if this code is working, as I am not seeing any new results being populated in DefectDojo?

Have i missed a something or am i using the wrong scans?

Futhermore I have looked at the UI in "/context/view/urls/" and cannot find "http://demo.owasp-juice.shop/rest/user/login" included under the context urls, so i don't believe this is being scanned at all?!



Simon Bennetts

unread,
Feb 18, 2021, 8:00:09 AM2/18/21
to OWASP ZAP User Group
Don't try to get authentication working just via the API - its way too hard.
Use the ZAP desktop to set up authentication - that way you can see exactly whats happening.
Once you've got it working then export the context and any other configuration (like script), import those into your test environment and retest there.

Cheers,

Simon
Message has been deleted

PH

unread,
Feb 18, 2021, 8:51:24 AM2/18/21
to OWASP ZAP User Group
For additionally context I am running ZAP in a container on Openshift and do not have access to the Desktop.

Simon Bennetts

unread,
Feb 18, 2021, 8:57:43 AM2/18/21
to OWASP ZAP User Group
And you dont have access to any other computer on which you can run ZAP?

If not then all I can do is wish you good luck :/

Simon Bennetts

unread,
Feb 18, 2021, 9:01:14 AM2/18/21
to OWASP ZAP User Group
But do note that if you are using Docker then you can access the ZAP desktop UI using WebSwing: https://www.zaproxy.org/blog/2021-02-03-run-zap-without-java-using-docker-and-webswing/

PH

unread,
Feb 18, 2021, 9:20:41 AM2/18/21
to OWASP ZAP User Group
Okay thank you. Just to make sure i'm understanding this tool correclty - I would start up Webswing and use this to access the UI then run my JSONAuthentication, I can then export the ContextId and run my Spider & scan against this to produce results ?

Simon Bennetts

unread,
Feb 18, 2021, 12:14:25 PM2/18/21
to OWASP ZAP User Group
Exactly.
I have actually just recorded a ZAP Deep Dive video on this .. but its not published yet - that should happen next week.
I do recommend using a scan hook to check that your authentication is working.
The one I've used in the demo just contains:

def zap_pre_shutdown(zap):
  print(zap.stats.site_stats("http://192.168.0.40:8080/", "stats.auth"))

Cheers,

Simon

kingthorin+owaspzap

unread,
Feb 18, 2021, 1:56:25 PM2/18/21
to OWASP ZAP User Group
Your logged in and logged out indicators seems wrong, Juice Shop doesn't use PHP.

PH

unread,
Feb 19, 2021, 4:23:08 AM2/19/21
to OWASP ZAP User Group
I was a bit confused as to why it was referencing php, but i cannot see anything about what to set this as for Juice Shop in the docs.

Please could you help put me in the right direction as what these should be set as ? - If im right loggedout should be "\Q{"user":{}}\E" ?
Reply all
Reply to author
Forward
0 new messages