search

Grunny / zap-cli

A simple tool for interacting with OWASP ZAP from the commandline.
MIT License
229 stars 70 forks source link

Set active HTTP Session #41

Open setzamora opened 6 years ago

setzamora commented 6 years ago

With a custom session cookie, I'm not able to tell the spider to crawl properly even with a user set in a context that authenticates via form.

I tried logging in to the web app using the browser and set the session cookie as active session then the spider was able to crawl properly.

Is there a way to set it via zap-cli? 

 Commands:
   active-scan  Run an Active Scan.
   ajax-spider  Run the AJAX Spider against a URL.
   alerts       Show alerts at the given alert level.
   context      Manage contexts for the current session.
   exclude      Exclude a pattern from all scanners.
   open-url     Open a URL using the ZAP proxy.
   policies     Enable or list a set of policies.
   quick-scan   Run a quick scan.
   report       Generate XML or HTML report.
   scanners     Enable, disable, or list a set of scanners.
   scripts      Manage scripts.
   session      Manage sessions.
   shutdown     Shutdown the ZAP daemon.
   spider       Run the spider against a URL.
   start        Start the ZAP daemon.
   status       Check if ZAP is running.

I don't see it in the list of commands.

zapv2 python has it,

zap.httpsessions.set_active_session(url, session, apikey)

Grunny commented 6 years ago

Hi @setzamora! Just to confirm, you're not able to set up a working authentication method for the context, is that right? zap-cli can handle authenticated crawls by using the authentication method configured in a context and then passing the configured user to the spider, active-scan, or quick-scan commands: https://github.com/Grunny/zap-cli#running-scans-as-authenticated-users

I can also add support for manually setting the HTTP sessions if that's necessary to make authentication work for the site you're testing, there isn't currently a command for that.

setzamora commented 6 years ago

Hey @Grunny . That is correct. Unfortunately, the application is using a custom cookie for authentication and for some reason the spider doesn't honour the session.

I already added the custom cookie to the list and saw that form-based authentication with a valid user works but I'm not sure why the spider doesn't pick it up. The difference in the result of the spider crawls is evident when setting an active HTTP session manually versus relying on the form-based authentication. Note that I already added some specific rules to prevent the spider from hitting the "logout" link, and whatnot.