Dynamic Authentication using ZEST script by providing username and password credentials through an external file.
197 views
Skip to first unread message
Lax
Mar 4, 2024, 3:44:29 AM3/4/24
to ZAP User Group
Hello,
What is the problem ?
That is coz my website has username and password on different pages and there are multiple redirects in between so it was recommended that I record a Zest Script for authentication.
Have I tried the authentication tester tool?
Yes, I have tried and it for some reason does not work well for my application even while giving the correct logged in and logged out indicators that work well with the above Zest script-based authentication context.
What do I have?
- I have a modern web application.
- A working Zest authentication Script.
- A working Zap Context that is properly configured as follows:
- Authentication : Script Based (using the above Zest script)
- Verification Strategy: Poll for a specific URL and check for correct logged in and logged out indicators
- Users : Username and Password
- Session Management: Cookie Based
So in forced user mode when I poll for the home URL of my website, I get a successful login into the website if I am logged out.
What is the problem ?
If there is a reset in Username or Password, since the Zest script and the ZAP context is hardcoded with username and password, I need to make changes everywhere. I don't need any other tokens, just the Username and Password.
What have I done currently?
What have I done currently?
For the Zest script I am using a variable for Username and Password and defining it at the start of the script and passing those variables as values to the Body of the Requests made in the Login POST request of the website URL.
What do I want to achieve?
What do I want to achieve?
I want to provide the Username and Password to the Zest Script variables defined at the start of the script and the Zap Context through an env file from outside as my final goal is to automate the entire scan process using either the automation framework or the ZAP API and integrate this tool into the website's CI/CD Pipeline.
How can I achieve this??
Why am I using a Zest Script?
How can I achieve this??
Why am I using a Zest Script?
That is coz my website has username and password on different pages and there are multiple redirects in between so it was recommended that I record a Zest Script for authentication.
Have I tried the authentication tester tool?
Yes, I have tried and it for some reason does not work well for my application even while giving the correct logged in and logged out indicators that work well with the above Zest script-based authentication context.
Thank You
Lax
Simon Bennetts
Mar 4, 2024, 4:48:03 AM3/4/24
to ZAP User Group
Hi Lax,
There is currently no way for Zest to directly access env vars or files.
However they can access global script variables: https://www.zaproxy.org/docs/desktop/addons/script-console/#custom-globalscript-variables
So a good work around would be to set those via another script type, e.g. JavaScript.
That script can read them from en vars, a file, or from wherever you like.
Cheers,
Simon
Lax
Mar 12, 2024, 5:01:06 AM3/12/24
to ZAP User Group
Thank You Simon, I will explore the above solution.
On another note, I have created an automation plan with the above context as mentioned in the previous message, how do I know for sure that the ajax spider is running properly? It does not show any URLs on the ajax Spider tab and takes about 5 mins and normal spidering takes around 7 mins for the first time. This is in the ZAP UI.
When I ran the yaml file on cmd, it does not run the Ajax spider, It finishes in 0 time.
Regards,
On another note, I have created an automation plan with the above context as mentioned in the previous message, how do I know for sure that the ajax spider is running properly? It does not show any URLs on the ajax Spider tab and takes about 5 mins and normal spidering takes around 7 mins for the first time. This is in the ZAP UI.
When I ran the yaml file on cmd, it does not run the Ajax spider, It finishes in 0 time.
Regards,
Lax
Simon Bennetts
Mar 12, 2024, 5:18:07 AM3/12/24
to ZAP User Group
Hi Lax,
That sounds like the AJAX Spider is not running then :)
In the plan you can add statistic jobs tests to check that everything is working in the way you expect: https://www.zaproxy.org/docs/desktop/addons/automation-framework/test-stats/
To diagnose problems with the AJAX Spider have a look in the zap.log file: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file
The most likely problem is that the webdrivers are not up to date.
Cheers,
Simon
Lax
Apr 2, 2024, 2:44:49 AM4/2/24
to ZAP User Group
Hi Simon,
Thank you for the quick response.
I tried adding the test-stats and yes the ajaxSpider is failing, could you let me know how to update the webdrivers.
I also tried adding stats.auth.state.loggedin test for the requestor job, while the site that I am hitting is responding with the loggedin indicator in the response body of the url, still the test is failing, what could be the possible reason for that?
Regards,
Thank you for the quick response.
I tried adding the test-stats and yes the ajaxSpider is failing, could you let me know how to update the webdrivers.
I also tried adding stats.auth.state.loggedin test for the requestor job, while the site that I am hitting is responding with the loggedin indicator in the response body of the url, still the test is failing, what could be the possible reason for that?
Regards,
Lax
Simon Bennetts
Apr 4, 2024, 12:26:27 PM4/4/24
to ZAP User Group
Hi Lax,
If you are using the desktop then theres a button on the main toolbar for checking for updates.
When running ZAP from the command line you can use the "-addonupdate" option as per https://www.zaproxy.org/docs/desktop/cmdline/
Its impossible for me to saying whats going wrong wihout a lot more information.
For lots more info about authentication see https://www.zaproxy.org/docs/authentication/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages