New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to do Form Based Authentication in ZAP #4760
Comments
did you enable the forced user mode? |
That does not indicate if Forced User mode was enabled, please, take a look at https://github.com/zaproxy/zaproxy/wiki/FAQformauth (specially Diagnosing problems) and let us know which part is failing. |
Thanks Kajan :) Well i checked out some comments and found that you also faced the same problem i faced now. Thanks in advance. |
Is the authentication working (without using the spiders)? The spiders don't have the concept of login form, for them that's just another form to submit with some data (or none). If the spiders are seeing the login form it might be that they are not authenticated (if they are and the application does not redirect to the main page, the login page needs to be excluded from the spiders). |
If I use Spider or Ajax Spider, authentication does not works. When i use "Access Control" in the output it says "Authentication Successfull". I am not sure, if these are related, but this is what i figured out. Please suggest, what else i do. |
In your browser logout of your app/site. With Forced User enabled while proxying through ZAP try to access a page/URL that requires authentication. Are you successful? (Ex. ZAP auth’d for you.) |
@Vivek-NSI did you resolve your issue? Can this ticket be closed? |
I am still not able to perform "Form Based Authentication" Actually what i want to achieve I read all the tutorial and also follow above mentione steps, but did notget the solution yet. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Trying to use ZAP 2.7.0 for spidering against my internal javascript based website. I used AJAX spider but I see that it is entering random username even after doing the proper configuration. Also, tried using ZEST based recording for authentication but same issue. I did following:
Launched firefox from ZAP and logged into Website. Now, I can see my website under the "Sites" tab. Defined the new context and added my site into it. Selected the POST Login request for my site and did right click and selected as "Flag as Context" / " Form-based Auth Login request" Configured the Username and Password parameter correctly under "Authentication" in the context. Set the Log in and Log out indicator Created a new user with valid username and password (Same as what was used in the POST Login, mentioned in Step 3) under "Users" option in the context After doing above steps, tried to run following:
Ran "Ajax Spider" using the above context and the user. I see ZAP launching firefox then it opens my website login page but enters a random username and then eventually login fails and the spider stops. Expected it to use the the Username and Password configured in the above steps and crawl further after successful login.
Just to check if ZAP is able to spider, I ran the "Spider" (normal Spider option) and I see it uses "ZAP" as username and password both in the POST Login request and eventually login fails and it is not able to spider further. Expected it to use the Username and Password configured in the above steps as "Spider" was run as this user in the context.
Please let me know if i'm missing something here or is there a genuine issue with ZAP. Looking forward for the help. Thanks.
I have gone through all the Q&A regarding the same, but did not get any answer to it.
Please let me know if I have to make changes in my ZAP or what should be the simple solution to it.
The text was updated successfully, but these errors were encountered: