Issue with Generating Output File During Authenticated Scan in ZAP
240 views
Skip to first unread message
Rom ain
May 26, 2023, 4:54:43 AM5/26/23
to OWASP ZAP User Group
Hello,
I'm trying to launch an authenticated scan from ZAP on the command line against Juice Shop.
I have set up the context using the session management script and the correct parameters.
Authentication works perfectly, and scans launched from the ZAP GUI also work.
I created a PLAN with my context and then exported it to YAML to execute it.
When I launch it: zap.bat -cmd -quickprogress -autorun plan_juiceshop.yaml -port 8090 -quickout test_2.html
I get the following result:
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.12.0.jar -cmd -quickprogress -autorun plan_juiceshop.yaml -port 8090 -quickout run_1.html
Job authentication set method = json
Job authentication set parameters = {loginRequestBody={"email":"{%username%}","password":"{%password%}"}, loginPageUrl=http://localhost:3000/rest/user/login, loginRequestUrl=http://localhost:3000/rest/user/login}
Job verification set method = response
Job verification set loggedOutRegex = \Q{"user":{}}\E
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl =
Job verification set pollPostData =
Job sessionManagement set method = script
Job sessionManagement set parameters = {script=C:\Users****\OWASP ZAP\scripts\scripts\session\JuiceShopsession.js, scriptEngine=Graal.js}
Job users set name = romthy
Job users set credentials = {password=azerty123, username=****@gmail.com}
Job activeScan started
Job activeScan finished, time taken: 00:00:00
Automation plan succeeded!
Everything seems to be working perfectly, but no output file is being created.
However, the quickout parameter is specified.
Simon Bennetts
May 26, 2023, 5:01:49 AM5/26/23
to OWASP ZAP User Group
I'm afraid the "quick scan" command line options are incompatible with the Automation Framework (AF).
You will need to remove the "-quickprogress" and "-quickout" options.
You can generate reports via the AF using the report job: https://www.zaproxy.org/docs/desktop/addons/report-generation/automation/
Its worth noting that:
- Juice Shop is a modern web app, so you will need to explore it using the AJAX Spider
- The AJAX Spider will not be authenticated as Juice Shop maintains user data in the browser
- We will be publishing an Automation Plan soon for Juice Shop which will do everything correctly :)
Cheers,
Simon
Rom ain
May 26, 2023, 5:17:01 AM5/26/23
to OWASP ZAP User Group
Thank you for your response.
Is the report generation compatible with using my plan through the command line?
Simon Bennetts
May 26, 2023, 5:22:37 AM5/26/23
to OWASP ZAP User Group
The Automation Framework is designed to be used from the command line, but is also supported in the desktop GUI.
All of the jobs listed on https://www.zaproxy.org/docs/automate/automation-framework/ will work from the commandline and the GUI.
Cheers,
Simon
Rom ain
May 26, 2023, 6:02:52 AM5/26/23
to OWASP ZAP User Group
I still have a little problem...
I modified my yaml plan to add report generation:
env:
contexts:
- name: "localhost"
urls:
- "http://localhost:3000"
includePaths:
- "http://localhost:3000.*"
excludePaths: []
authentication:
method: "json"
parameters:
loginPageUrl: "http://localhost:3000/rest/user/login"
loginRequestUrl: "http://localhost:3000/rest/user/login"
loginRequestBody: "{\"email\":\"{%username%}\",\"password\":\"{%password%}\"}"
verification:
method: "response"
loggedOutRegex: " \\Q{\"user\":{}}\\E"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "script"
parameters:
script: "C:\\Users\\****\\OWASP ZAP\\scripts\\scripts\\session\\JuiceShopsession.js"
scriptEngine: "Graal.js"
technology:
exclude: []
users:
- name: "romthy"
credentials:
password: "azerty123"
username: "****@gmail.com"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters: {}
policyDefinition:
rules: []
name: "activeScan"
type: "activeScan"
- type: report
parameters:
template: "C:\\Users\\***\\OWASP ZAP\\reports\\traditional-json"
reportFile: "zap-report"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
I got the following error when running:
C:\Program Files\OWASP\Zed Attack Proxy>zap.bat -cmd -port 8090 -autorun plan_juiceshop_report.yaml
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\Users\****\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.12.0.jar -cmd -port 8090 -autorun plan_juiceshop_report.yaml
Job authentication set method = json
Job authentication set parameters = {loginRequestBody={"email":"{%username%}","password":"{%password%}"}, loginPageUrl=http://localhost:3000/rest/user/login, loginRequestUrl=http://localhost:3000/rest/user/login}
Job verification set method = response
Job verification set loggedOutRegex = \Q{"user":{}}\E
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl =
Job verification set pollPostData =
Job sessionManagement set method = script
Job sessionManagement set parameters = {script=C:\Users\****\OWASP ZAP\scripts\scripts\session\JuiceShopsession.js, scriptEngine=Graal.js}
Job users set name = romthy
Job users set credentials = {password=azerty123, username=****@gmail.com}
Job report set template = C:\Users\***\OWASP ZAP\reports\traditional-json
Job report set reportFile = zap-report
Job report set reportTitle = ZAP Scanning Report
Job report set reportDescription =
Job report invalid template: C:\Users\****\OWASP ZAP\reports\traditional-json
Automation plan failures:
Job report invalid template: C:\Users\****\OWASP ZAP\reports\traditional-json
The template path is still valid
Thank you for your help
I modified my yaml plan to add report generation:
env:
contexts:
- name: "localhost"
urls:
- "http://localhost:3000"
includePaths:
- "http://localhost:3000.*"
excludePaths: []
authentication:
method: "json"
parameters:
loginPageUrl: "http://localhost:3000/rest/user/login"
loginRequestUrl: "http://localhost:3000/rest/user/login"
loginRequestBody: "{\"email\":\"{%username%}\",\"password\":\"{%password%}\"}"
verification:
method: "response"
loggedOutRegex: " \\Q{\"user\":{}}\\E"
pollFrequency: 60
pollUnits: "requests"
pollUrl: ""
pollPostData: ""
sessionManagement:
method: "script"
parameters:
script: "C:\\Users\\****\\OWASP ZAP\\scripts\\scripts\\session\\JuiceShopsession.js"
scriptEngine: "Graal.js"
technology:
exclude: []
users:
- name: "romthy"
credentials:
password: "azerty123"
username: "****@gmail.com"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
vars: {}
jobs:
- parameters: {}
policyDefinition:
rules: []
name: "activeScan"
type: "activeScan"
- type: report
parameters:
template: "C:\\Users\\***\\OWASP ZAP\\reports\\traditional-json"
reportFile: "zap-report"
reportTitle: "ZAP Scanning Report"
reportDescription: ""
I got the following error when running:
C:\Program Files\OWASP\Zed Attack Proxy>zap.bat -cmd -port 8090 -autorun plan_juiceshop_report.yaml
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\Users\****\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.12.0.jar -cmd -port 8090 -autorun plan_juiceshop_report.yaml
Job authentication set method = json
Job authentication set parameters = {loginRequestBody={"email":"{%username%}","password":"{%password%}"}, loginPageUrl=http://localhost:3000/rest/user/login, loginRequestUrl=http://localhost:3000/rest/user/login}
Job verification set method = response
Job verification set loggedOutRegex = \Q{"user":{}}\E
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl =
Job verification set pollPostData =
Job sessionManagement set method = script
Job users set name = romthy
Job users set credentials = {password=azerty123, username=****@gmail.com}
Job report set reportFile = zap-report
Job report set reportTitle = ZAP Scanning Report
Job report set reportDescription =
Job report invalid template: C:\Users\****\OWASP ZAP\reports\traditional-json
Automation plan failures:
Job report invalid template: C:\Users\****\OWASP ZAP\reports\traditional-json
The template path is still valid
Thank you for your help
Simon Bennetts
May 26, 2023, 6:06:56 AM5/26/23
to OWASP ZAP User Group
The template parameter is wrong.
As per https://www.zaproxy.org/docs/desktop/addons/report-generation/automation/ it is the template ID, and the default is given as "traditional-html"
The IDs are listed on https://www.zaproxy.org/docs/desktop/addons/report-generation/templates/ so you probably want to use "traditional-json"
Cheers,
Simon
Rom ain
May 26, 2023, 9:30:24 AM5/26/23
to OWASP ZAP User Group
Thank you very much for your help, I succeeded. So according to your previous message, it is impossible to do a spider-ajax scan while being authenticated on modern websites?
Simon Bennetts
May 26, 2023, 9:34:53 AM5/26/23
to OWASP ZAP User Group
No, its not imposible, just a little bit harder than we would like right now.
You have 2 choices:
- Using browser based auth and configuring the Selenium integration as per https://www.zaproxy.org/docs/desktop/addons/authentication-helper/browser-auth/#selenium-integration
- Or handling auth yourself and injecting the relevant tokens using a selenium script, as per https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/
The plan is to change the AJAX spider to detect browser based auth is in use and then doing the selenium integrtion for you .. but for now you have to do it yourself.
Cheers,
Simon
Rom ain
May 26, 2023, 11:01:51 AM5/26/23
to OWASP ZAP User Group
Thank you. So, I tried to set up Selenium for JuiceShop using the documentation you provided after correctly configuring the paths, and now I'm encountering the following error with the Oracle Nashorn engine.
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.12.0.jar -cmd -port 8090 -autorun juiceshop-test.yaml
Job authentication set method = script
Job authentication set parameters = {script=JuiceShopAuthentication.js, scriptEngine=Oracle Nashorn}
Job verification set method = poll
Job verification set loggedInRegex = \Q{"user":{"id":\E
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollUrl = http://localhost:3000/rest/user/whoami
Job verification set pollPostData =
Job sessionManagement set method = script
Job sessionManagement set parameters = {script=JuiceShopSession.js, scriptEngine=Oracle Nashorn}
Job users set name = test
Job passiveScan-config set scanOnlyInScope = true
Job passiveScan-config set enableTags = false
Job script set action = add
Job script set type = httpsender
Unrecognised parameter for job script : scriptEngine
Job script set name = JuiceShopHttpSender.js
Job script set file = JuiceShopHttpSender.js
Job script set target =
Job script set action = add
Job script set type = selenium
Unrecognised parameter for job script : scriptEngine
Job script set name = JuiceShopSelenium.js
Job script set file = JuiceShopSelenium.js
Job script set target =
Job request - check auth works set user = test
Job request - check auth works set url = http://localhost:3000/
Job request - check auth works/stats set onFail = Erreur
Job request - check auth works/stats set statistic = stats.auth.success
Job request - check auth works/stats set site = http://localhost:3000
Job request - check auth works/stats set operator = >=
Job request - check auth works/stats set value = 1
Job request - check auth works/stats set name = At least 1 successful login
Job request - check auth works/stats set type = stats
Job requestor adding test of type stats : At least 1 successful login
Job request - check auth works/stats set onFail = Erreur
Job request - check auth works/stats set statistic = stats.auth.failure
Job request - check auth works/stats set site = http://localhost:3000
Job request - check auth works/stats set operator = <=
Job request - check auth works/stats set value = 0
Job request - check auth works/stats set name = No login failures
Job request - check auth works/stats set type = stats
Job requestor adding test of type stats : No login failures
Unexpected error accessing file C:\Program Files\OWASP\Zed Attack Proxy\juiceshop-test.yaml : No such engine: Oracle Nashorn - see log for details
Cannot invoke "org.zaproxy.addon.automation.AutomationProgress.hasErrors()" because "progress" is null
Do you have any idea what could be causing the problem?
C:\Program Files\OWASP\Zed Attack Proxy>if exist "C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" (set /p jvmopts= 0<"C:\Users\***\OWASP ZAP\.ZAP_JVM.properties" ) else (set jvmopts=-Xmx512m )
C:\Program Files\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap-2.12.0.jar -cmd -port 8090 -autorun juiceshop-test.yaml
Job authentication set method = script
Job authentication set parameters = {script=JuiceShopAuthentication.js, scriptEngine=Oracle Nashorn}
Job verification set method = poll
Job verification set loggedInRegex = \Q{"user":{"id":\E
Job verification set pollFrequency = 60
Job verification set pollUnits = requests
Job verification set pollPostData =
Job sessionManagement set method = script
Job users set name = test
Job passiveScan-config set scanOnlyInScope = true
Job passiveScan-config set enableTags = false
Job script set action = add
Job script set type = httpsender
Unrecognised parameter for job script : scriptEngine
Job script set name = JuiceShopHttpSender.js
Job script set file = JuiceShopHttpSender.js
Job script set target =
Job script set action = add
Job script set type = selenium
Unrecognised parameter for job script : scriptEngine
Job script set name = JuiceShopSelenium.js
Job script set file = JuiceShopSelenium.js
Job script set target =
Job request - check auth works set user = test
Job request - check auth works set url = http://localhost:3000/
Job request - check auth works/stats set onFail = Erreur
Job request - check auth works/stats set statistic = stats.auth.success
Job request - check auth works/stats set site = http://localhost:3000
Job request - check auth works/stats set operator = >=
Job request - check auth works/stats set value = 1
Job request - check auth works/stats set name = At least 1 successful login
Job request - check auth works/stats set type = stats
Job requestor adding test of type stats : At least 1 successful login
Job request - check auth works/stats set onFail = Erreur
Job request - check auth works/stats set statistic = stats.auth.failure
Job request - check auth works/stats set site = http://localhost:3000
Job request - check auth works/stats set operator = <=
Job request - check auth works/stats set value = 0
Job request - check auth works/stats set name = No login failures
Job request - check auth works/stats set type = stats
Job requestor adding test of type stats : No login failures
Unexpected error accessing file C:\Program Files\OWASP\Zed Attack Proxy\juiceshop-test.yaml : No such engine: Oracle Nashorn - see log for details
Cannot invoke "org.zaproxy.addon.automation.AutomationProgress.hasErrors()" because "progress" is null
Do you have any idea what could be causing the problem?
Simon Bennetts
May 26, 2023, 11:10:51 AM5/26/23
to OWASP ZAP User Group
"Install Java 11 - unfortunately we currently have to use Oracle Nashorn
for the Selenium scripting which is not available in later versions of
Java"
Rom ain
May 26, 2023, 11:35:43 AM5/26/23
to OWASP ZAP User Group
Thank you very much it works now
Reply all
Reply to author
Forward
0 new messages