diff --git a/docs/testapps/altoroj/index.html b/docs/testapps/altoroj/index.html index d7972a59f9..e396713f00 100644 --- a/docs/testapps/altoroj/index.html +++ b/docs/testapps/altoroj/index.html @@ -346,6 +346,91 @@

Results API Scanning

+

Authentication is a bit different for the API.

+

You need to make a POST request to the /api/login with the credentials in JSON format: {"username":"jsmith","password":"demo1234"}. Which responds with a an Authorization token which then needs to be sent via the Authorization header on requests to other parts of the API. Session/token validity can be verified by making a GET request to /api/login then checking the response code (200 OK vs 401 Unauthorized).

+ + +
env:
+  contexts:
+  - name: testfire_api
+    urls:
+    - https://demo.testfire.net
+    includePaths:
+    - https://demo.testfire.net.*
+    excludePaths:
+    - https://demo.testfire.net/api/logout
+    authentication:
+      method: json
+      parameters:
+        loginRequestBody: "{\"username\":\"{%username%}\",\"password\":\"{%password%}\"\
+          }"
+        loginPageUrl: ""
+        loginRequestUrl: https://demo.testfire.net/api/login
+      verification:
+        method: poll
+        loggedInRegex: 200 OK
+        loggedOutRegex: 401 Unauthorized
+        pollFrequency: 60
+        pollUnits: seconds
+        pollUrl: https://demo.testfire.net/api/login
+        pollPostData: ""
+    sessionManagement:
+      method: headers
+      parameters:
+        Authorization: "{%json:Authorization%}"
+    technology: {}
+    structure: {}
+    users:
+    - name: jsmith
+      credentials:
+        password: demo1234
+        username: jsmith
+  parameters: {}
+
+

OpenAPI Import

+

You can then use an OpenAPI Import job to explore the API prior to active scanning.

+ + + +
+

+ 📝 + + Note + +

+ +
+

The traffic will be passively scanned during import.

+
+
+ +
- type: openapi
+  parameters:
+    apiUrl: https://demo.testfire.net/swagger/properties.json
+    context: testfire_api
+    user: jsmith
+
+

Scanning

+

You can then active scan as you see fit.

+ + + +
+

+ 📝 + + Note + +

+ +
+

If you have the Scan Policies add-on installed, this is a good opportunity to leverage the API Policy.

+
+
+ diff --git a/search/index.json b/search/index.json index b871845da3..85656c2c05 100644 --- a/search/index.json +++ b/search/index.json @@ -4997,7 +4997,7 @@ "keywords": ["","/","altoroj","testfire.net"], "tags": null, "summary": "\u003ch3 id=\"overview\"\u003eOverview \u003ca class=\"header-link\" href=\"#overview\"\u003e\u003csvg class=\"fill-current o-60 hover-accent-color-light\" height=\"22px\" viewBox=\"0 0 24 24\" width=\"22px\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\u003cpath d=\"M0 0h24v24H0z\" fill=\"none\"/\u003e\u003cpath d=\"M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z\" fill=\"currentColor\"/\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003eAltoroJ, also known as Altoro Mutual and Testfire, is an open source sample banking J2EE web application\nmaintained by \u003ca href=\"https://www.hcl-software.com/\"\u003eHCL Software\u003c/a\u003e.\u003c/p\u003e", - "content": "overview altoroj also known altoro mutual testfire open source sample banking j2ee web application maintained by hcl software traditional app created 2008 not updated very often online: https:demotestfirenet repo: https:githubcomhcltechsoftwarealtoroj quick start new zap just want quickly run against these commands: download recommended plan using curl use any other suitable tool https:rawgithubusercontentcomzaproxycommunityscriptsrefsheadsmainotherafplansfullscantestfireauthyaml stable docker image mapping cwd that can access file system export report pwd:zapwrk:rw zaproxyzapstable zapsh cmd autorun wrkfullscantestfireauthyaml command windows see relevant documentation you will need have installed do then course install locally create html your containing full details all issues found further resultsresults below potential pitfalls online which may unavailable broken point running local version give more consistent results authentication users username password: admin jsmith demo1234 browser based successfully authenticate identify session handling verification client script zest available here: testfirezst environment env: contexts: name: urls: http:demotestfirenet includepaths: authentication: method: parameters: loginpageurl: https:demotestfirenetloginjsp loginpagewait: browserid: firefox verification: poll loggedinregex: 200 oke loggedoutregex: 302 founde pollfrequency: 60 pollunits: seconds pollurl: https:demotestfirenetbankmainjsp pollpostdata: 3434 sessionmanagement: headers users: credentials: username: note there exclude paths added definition logout avoidance used spider job example dologin left included impacted sqli vulnerability crawling spiders crawl we recommend following configuration: type: context: user: url: logoutavoidance: true ajax link: spiderajax firefoxheadless excludedelements: description: element: text: sign off scanning believe definitive list vulnerabilities altoroj: https:helphclsoftwarecomappscanasocjapdfsampledastreportpdf too surprisingly configure activescan probably generate vuln disposition cross site scripting reflected http:testfirenetbankcustomizejsp positive http:testfirenetbankqueryxpathjsp http:testfirenetsearchjsp http:testfirenetsendfeedback sql injection http:testfirenetbankccapply https:testfirenetdologin https:demotestfirenetbankshowtransactions false negative external redirect pii disclosure https:testfirenetbankmainjsp content security policy csp header set absence anticsrf tokens missing anticlickjacking relative path confusion secure pages include mixed including scripts sub resource integrity attribute insecure http method code " + "content": "overview altoroj also known altoro mutual testfire open source sample banking j2ee web application maintained by hcl software traditional app created 2008 not updated very often online: https:demotestfirenet repo: https:githubcomhcltechsoftwarealtoroj quick start new zap just want quickly run against these commands: download recommended plan using curl use any other suitable tool https:rawgithubusercontentcomzaproxycommunityscriptsrefsheadsmainotherafplansfullscantestfireauthyaml stable docker image mapping cwd that can access file system export report pwd:zapwrk:rw zaproxyzapstable zapsh cmd autorun wrkfullscantestfireauthyaml command windows see relevant documentation you will need have installed do then course install locally create html your containing full details all issues found further resultsresults below potential pitfalls online which may unavailable broken point running local version give more consistent results authentication users username password: admin jsmith demo1234 browser based successfully authenticate identify session handling verification client script zest available here: testfirezst environment env: contexts: name: urls: http:demotestfirenet includepaths: authentication: method: parameters: loginpageurl: https:demotestfirenetloginjsp loginpagewait: browserid: firefox verification: poll loggedinregex: 200 oke loggedoutregex: 302 founde pollfrequency: 60 pollunits: seconds pollurl: https:demotestfirenetbankmainjsp pollpostdata: 3434 sessionmanagement: headers users: credentials: username: note there exclude paths added definition logout avoidance used spider job example dologin left included impacted sqli vulnerability crawling spiders crawl we recommend following configuration: type: context: user: url: logoutavoidance: true ajax link: spiderajax firefoxheadless excludedelements: description: element: text: sign off scanning believe definitive list vulnerabilities altoroj: https:helphclsoftwarecomappscanasocjapdfsampledastreportpdf too surprisingly configure activescan probably generate vuln disposition cross site scripting reflected http:testfirenetbankcustomizejsp positive http:testfirenetbankqueryxpathjsp http:testfirenetsearchjsp http:testfirenetsendfeedback sql injection http:testfirenetbankccapply https:testfirenetdologin https:demotestfirenetbankshowtransactions false negative external redirect pii disclosure https:testfirenetbankmainjsp content security policy csp header set absence anticsrf tokens missing anticlickjacking relative path confusion secure pages include mixed including scripts sub resource integrity attribute insecure http method code api bit different make post request apilogin credentials json format: username:jsmithpassword:demo1234 responds authorization token needs sent via requests parts sessiontoken validity verified making get checking response ok vs 401 unauthorized testfireapi excludepaths: https:demotestfirenetapilogout loginrequestbody: 3434username34:34username3434password34:34password34 34 loginrequesturl: https:demotestfirenetapilogin authorization: 34json:authorization34 technology: structure: openapi import explore prior active traffic passively scanned during apiurl: https:demotestfirenetswaggerpropertiesjson scan fit policies addon good opportunity leverage " }, { "url": "/docs/alerts/10020/",