-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZAP Spider with Context #2079
Comments
That happens to me too with ZAP 2.6.0 |
Have a look at https://github.com/zaproxy/zaproxy/wiki/FAQformauth particularly the 'Diagnosing problems' section. |
Same observation , I am using ZAP version 2.7.0 . I have followed the exactly same steps as mentioned @ "https://github.com/zaproxy/zaproxy/wiki/FAQformauth" . Whenever I try to initiate spider scan I could see the post request which has been flagged for form based authentication sends incorrect credentials as "userName=ZAP&password=ZAP". I tried restarting the ZAP etc nothing to help here. |
I'm going to chime in here as well as this doesn't seem to be solved and whatever help/suggestions on the internet doesn't appear to be working either. I can confirm that through the ZAP UI alone, (the UI should be the source of truth unlike unknown variables like implementations of the API) filling out all the fields as required such as: should produce a Request like:
However, the substitution for the username and password placeholders are not working as intended leaving a default of username=ZAP&password=ZAP for every request. I have confirmed that the "forced user" button selected or unselected has no bearing on results posted above. I have even gone so far as to hardcode the username and password into the Login Request POST Data field as
in which the UI will save the Login Request POST Data field as
once you click the Ok button and before closing the dialog window. So the UI is actively mutating user input before dialog close. At the very least, the Request Form Data encoded parameters should look something like:
but will always look like:
regardless of anything entered. Either the documentation is incorrect in explaining on how the Login Request POST Data field should be formatted or the substitution functionality behind the field is doing something wonky. Because the UI is not working as explained in the documentation. |
I wanted to clear up a few things for posterity and in case anyone else comes across this post searching for a solution for the username=ZAP&password=ZAP issue. My primary issue was getting the API to work properly. I was able to successfully get the response I was looking for using the manual instructions as mentioned https://github.com/zaproxy/zaproxy/wiki/FAQformauth#how-can-zap-automatically-authenticate-via-forms. However, there are few caveats that seem to be missing: In the ZAP UI, the Authentication menu under your context: Login Request POST Data field MUST HAVE ALL THE FORM FIELDS IN THE POST in it. It is NOT ENOUGH to just have:
as the documentation suggests. The Login Request POST Data
Removing even a single POST form field key/value caused things to go awry. I was only able to get this working at both the API and UI level when including all fields in the POST DATA The API version of the above looks something like:
Where ALL the data after loginRequestData must be UrlEncoded. I hope this helps |
@morgangraphics I have same post request for my application as mentioned by you, however form authentication is not working as each login need to have different "It" every time. So i am using ZEST script for authentication, however I am facing issue that Username and Password field are replaced as "zap" as above. I have set the credentials in Users as well as enabled forced user for Spider scan. Could you please suggest, how to resolve this? |
This isn't really the forum to ask for support help. However, perhaps some clarity might be in order. It is my understanding that the Spider Scan is looking at directory structure and is not tied to a specific user (at least in any examples I've seen) where as Ajax Spider on the other hand can be tied to a specific user due to what it's trying to accomplish. So, I am not sure which scan you are using but my revelations above came from an Active Scan session. I believe your issue might be related to mutating the URL with ZEST, however I can't say for certain. While the lt=LT-58375-BziVyfPlHhzIZcXGNiBUahEGHxk4q1 key/value pair was at one point a legit token in my Active Scan request, if you actually look at the request/response in ZAP (right click Open/Resend with Request Editor), the lt value is updated/injected automatically by ZAP. In this case the encoded lt key/value pair in he URL above serves as a placeholder. |
For info, all of the ZAP tools should be able to be run with a specific user (if configured) including the traditional spider :) |
Thanks for your valuable comments and time!! I have already configured user however spider is not taking the configured user. It always takes 'zap' as username and password |
As this post was something related to my issue that why i have continued on the same issue. Also i am targeting spider scan, and as per my understanding once the authentication works spider will crawl for more links. And will use the same setup at Jenkin for ZAp plugin integration. Thanks for your help!! |
@rupaliwar I believe your problem is with logged in/out patterns. I doubt every logged in response in your app has a Location header otherwise you'd never actually land anywhere. |
Thanks @kingthorin . I believe the login requests response pattern should be added as logged in indicator. However I looked into each response but didn't find any common pattern which is available in authenticated request's response. Please suggest. |
If the logged out indicator is strong then you can just rely on it. |
I am encountering this same issue with OWASP ZAP v2.12.0. I have had some success and some failures running the Spider on my site. Sometimes it crawls all the pages successfully; sometimes it doesn't successfully log on, but tries to access the login page with username=ZAP, password=ZAP. I think what I've found is, it exhibits failures if I try to put a regex in for both Logged In messages and Logged Out messages in the Context → Authentication. E.g., I had set the Logged In regex to Now I have cleared the Logged In messages regex. For the Logged Out messages regex, I set |
If you supply both Logged In and Logged Out regexes then ZAP will test for both. |
I'm having the same authentication errors as above even though I have configured the authentication as described in the official FAQ. I don't get the “Forced User Mode disabled - click to enable” button enabled and in the FAQ there is this:
I don't know what I am missing, but when I start the spider, selecting to use the configured user, I see that the login POST request have bodies like these:
I think that the spider shoud use my configured user, not ZAP, zap or guest. Anybody can help me? |
As mentioned above and in the doc you mentioned you need to set a logged in/out indicator. |
Hi all, At the end I created a new ZEST script recording the login page, where I extracted the logintoken parameter, the login POST, in which I used the parameter in the body (leaving username and password fixed), and the home page to check the correct login. I then configured this script as authentication method, add a new user (which is not used, but needed to tell ZAP to use authentication) and then the spider succesfully browsed the application. Hope this helps others in my same situation. |
If this isn't the place for support questions then where is? Is it the Google OWASP ZAP User Group?
@luandrea I was experiencing similar issues and your comment about the POST request in the History panel was very helpful thank you! I had been looking in the Request/Response tabs to the right of the Quick Start tab, and that Request data did not refresh. |
Exactly. |
From https://www.zaproxy.org/docs/desktop/start/features/authmethods/#formBased
Closing, this is now more about usage questions than an actual issue report. |
Note that if users are struggling to work out how to use a particular part of the software correctly, that arguably could be considered an issue. Especially if this is with users who are reasonably technically competent. Reasonable responses to this could be:
|
The authentication support has been significantly improved, as has the auth docs: https://www.zaproxy.org/docs/authentication/ We do know that things could be better and have plans to address them, we just need more people working on ZAP 😛 |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I have create a context with all the Session Properties like Authentication, Users, Force User, Logged-In Indicator in ZAP 2.4.2. But when I try to run spider by including the context, I see Spider trying to authenticate using username=ZAP and password=ZAP (not sure where does these comes from) instead of taking the credentials from "Users" or "Force User" properties.
The text was updated successfully, but these errors were encountered: