Script Auth in AJAX Spider

31 views
Skip to first unread message

Peter Karman

unread,
Nov 4, 2024, 9:52:40 AMNov 4
to ZAP User Group
Hello,
I am using script auth to authenticate my scans. I am able to use forced user mode and open a URL in the browser to see that the script authentication actually works. However, when I use AJAX spider or the regular spider, I am not being authenticated. I am selecting my context and the user to log in when running it. 

When I query the stats, I see none of the stats.authentication metrics which leads me to believe it is not even trying to authenticate. 

Wondering, is script auth supported in AJAX spider? If not, what forms are supported that also support CSRF tokens (form based doesn't seem to capture a CSRF token for the request). If it is, any tips on what I may be doing wrong?

Thanks

Peter Karman

unread,
Nov 4, 2024, 9:56:10 AMNov 4
to ZAP User Group

Also I am able to see it tries to authenticate without error in the logs

2024-11-04 05:43:46,081 [Thread-2748] INFO  ScriptBasedAuthenticationMethodType - Loaded script:MyScript
2024-11-04 05:48:33,409 [ZAP-IO-Server-1-169] INFO  User - Authenticating user: **MYEMAIL**
2024-11-04 05:58:49,038 [ZAP-AjaxSpider] INFO  SpiderThread - Running Crawljax (with firefox-headless): Context: POST:sign_in()(authenticity_token,commit,user[email],user[password])
2024-11-04 05:58:49,041 [ZAP-AjaxSpider] INFO  SpiderThread - Starting proxy...
2024-11-04 05:58:49,048 [ZAP-AjaxSpider] INFO  SpiderThread - Proxy started, listening at port [62521].
2024-11-04 05:58:49,082 [ZAP-AjaxSpider] INFO  Plugins - Loaded org.zaproxy.zap.extension.spiderAjax.SpiderThread$DummyPlugin@722d65cd as a OnBrowserCreatedPlugin
2024-11-04 05:59:24,739 [ZAP-AjaxSpider] INFO  CrawlController - Received shutdown notice. Reason is Exausted
2024-11-04 05:59:25,407 [ZAP-AjaxSpider] INFO  CrawlController - Shutdown process complete

Simon Bennetts

unread,
Nov 5, 2024, 6:58:49 AMNov 5
to ZAP User Group
Hiya,

DO NOT use forced user mode in automation. I'll try to make that much clearer in the docs.
For anything authentication related this should be your starting point: https://www.zaproxy.org/docs/authentication/

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages