Testing a site protected by basic authentication seems unnecessary hard

[Jürgen]

Hi,

I am a Python web developer and a light user of the ZAP application.

I used ZAP to test some of our applications, and now tried to test one which is secured by basic auth.

When you visit a basic auth protected site in the browser, you get a popup and have to enter username / password. So how hard can it be to make that work in ZAP?

First, I entered the URL in the "Quick start / URL to attack" field.

=> "Failed to attack the URL: receivd a 401 response code"

Ah well, I know, why don't you give me a popup so I could enter the credentials? Or at least a hint which points to an appropriate help page? And why does the URL not get get included in the left windows at "sites"?

I also tried to enter "username:pass...@example.com" - also did not work - same error message.

Next, I googled for a solution. I found the video of Cosmin Stefan about authentication, but could not follow it, as I could not manage to make my URL shown in the left "sites" area.

Next, I tried to enter credentials via "context" configuration.... tried lots of variations... did not work.

Next, I remembered having used the "proxy mode" via Firefox -> ZAP some time ago.

While searching for the proxy settings in the "tools" menu, I stumbled upon the "ZAP Jx Browser" entry.

Launched it, entered the URL, no popup asking for credentials, 401 again... 

Hm, entered "username:pass...@example.com" in ZAP Jx Browser.. hoooray! It worked!

As transmitting credentials in the URL seems deprecated ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication ), I really wanted to figure out how to get authenticated via "context settings".

I wrote down all steps I unsuccessfully tried to make it easier for you to find the error I made.

While compiling the information and the steps what I did so I could ask you, I eventually made basic auth work:
- as quick start does not work, start a new Spider scan and enter my url
- in the upper left window include my site to context
- in session properties at "Authentication" change manual to HTTP auth
- change hostname, port, realm
- create a user by entering his username twice (oO, User Name and Username) and password
- at "Session Management" switch from cookie-based session management to HTTP auth (hm, why again? I did choose HTTP auth already at "Authentication" tab
- pray it works :-)

Is this the intended way?

At my first attempts I missed two steps:

- I had left the auth option at manual, as I thought, well, I'll be given a popup then (yeah, only if you configure proxy beforehands and use Firefox; when you choose manual, it just says "This is fully configured" - instead of well, you gotta configure proxy setup first)
- I had not touched the "Sessions Management" options, as I thought choosing HTTP auth at option "Authentication" should do it

Anyway, thank you so much for providing this invaluable tool!

Best,

Jürgen

[Simon Bennetts]

HI Jürgen,

Yes, we clearly could do a lot better here :/
The Quick Scan does deliberately avoid handling authentication as its typically non trivial to handle.
We could make it much easier for basic auth, however I never see sites protected with this so its not something I really think about. Does any one else see many of them?

We have a proposed project for identifying HTML authentication forms, but so far its not been selected by any of the students that have worked on ZAP recently.
I'd be happy to work on this myself, but right now I just dont have the time :/

Anyone fancy diving into this?

Cheers,

Simon

On Friday, 23 June 2017 09:51:39 UTC+1, Jürgen wrote:

Hi,

I am a Python web developer and a light user of the ZAP application.

I used ZAP to test some of our applications, and now tried to test one which is secured by basic auth.

When you visit a basic auth protected site in the browser, you get a popup and have to enter username / password. So how hard can it be to make that work in ZAP?

First, I entered the URL in the "Quick start / URL to attack" field.

=> "Failed to attack the URL: receivd a 401 response code"

Ah well, I know, why don't you give me a popup so I could enter the credentials? Or at least a hint which points to an appropriate help page? And why does the URL not get get included in the left windows at "sites"?

I also tried to enter "username:pass...@example.com" - also did not work - same error message.

Next, I googled for a solution. I found the video of Cosmin Stefan about authentication, but could not follow it, as I could not manage to make my URL shown in the left "sites" area.

Next, I tried to enter credentials via "context" configuration.... tried lots of variations... did not work.

Next, I remembered having used the "proxy mode" via Firefox -> ZAP some time ago.

While searching for the proxy settings in the "tools" menu, I stumbled upon the "ZAP Jx Browser" entry.

Launched it, entered the URL, no popup asking for credentials, 401 again... 

Hm, entered "username:password@example.com" in ZAP Jx Browser.. hoooray! It worked!