How to use auth.first_submit_field options

[dhodyrahmad]

Hi, need help with command zap here. I want to this zap auth work on my pipeline. In my case I want to authenticate to login page that has hidden password field. So the flow are fill in username (with hidden password field) > continue button > fill in password > login button. This flow work on the same page without changing to other page.

My command

zap-baseline.py -I -j -t "https://url.co.id" --hook=/zap/auth_hook.py -J zap-$CI_PROJECT_NAME-report.json -r zap-$CI_PROJECT_NAME-report.html -x zap-$CI_PROJECT_NAME-report.xml -z 'auth.loginurl="https://url.co.id/login" auth.username="username" auth.password="password" auth.exclude="https://url.co.id/logout" auth.first_submit_field="Continue" auth.username_field="email" auth.password_field="password" auth.submit_field="LOGIN"'

My Output

2022-12-15 09:10:09,495 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='email') and (@type='text' or @type='email' or @type='number' or not(@type))]
2022-12-15 09:10:09,524 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='email') and (@type='text' or @type='email' or @type='number' or not(@type))]
2022-12-15 09:10:09,549 Found element email by name
2022-12-15 09:10:09,715 Filled the email element
2022-12-15 09:10:09,715 Trying to find element password
2022-12-15 09:10:09,715 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))]
2022-12-15 09:10:09,728 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))]
2022-12-15 09:10:09,741 Found element password by name
2022-12-15 09:10:09,777 Did not find the password field - clicking Next button and trying again
2022-12-15 09:10:09,777 Trying to find element password
2022-12-15 09:10:09,777 Built xpath: //input[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))]
2022-12-15 09:10:09,791 Built xpath: //input[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='password') and (@type='text' or @type='password' or not(@type))]
2022-12-15 09:10:09,803 Found element password by name
Traceback (most recent call last):
  File "/zap/zap_auth.py", line 201, in login
    self.fill_password()
  File "/zap/zap_auth.py", line 256, in fill_password
    return self.find_and_fill_element(self.config.auth_password,
  File "/zap/zap_auth.py", line 274, in find_and_fill_element
    element.clear()
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 95, in clear
    self._execute(Command.CLEAR_ELEMENT)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute
    return self._parent.execute(command, params)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.ElementNotInteractableException: Message: element not interactable
  (Session info: headless chrome=108.0.5359.98)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/zap/zap_auth.py", line 83, in authenticate
    self.login()
  File "/zap/zap_auth.py", line 208, in login
    self.fill_password()
  File "/zap/zap_auth.py", line 256, in fill_password
    return self.find_and_fill_element(self.config.auth_password,
  File "/zap/zap_auth.py", line 274, in find_and_fill_element
    element.clear()
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 95, in clear
    self._execute(Command.CLEAR_ELEMENT)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute
    return self._parent.execute(command, params)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.ElementNotInteractableException: Message: element not interactable
  (Session info: headless chrome=108.0.5359.98)

2022-12-15 09:10:09,830 error in authenticate: None
Traceback (most recent call last):
  File "/zap/zap_auth.py", line 201, in login
    self.fill_password()
  File "/zap/zap_auth.py", line 256, in fill_password
    return self.find_and_fill_element(self.config.auth_password,
  File "/zap/zap_auth.py", line 274, in find_and_fill_element
    element.clear()
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 95, in clear
    self._execute(Command.CLEAR_ELEMENT)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute
    return self._parent.execute(command, params)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.ElementNotInteractableException: Message: element not interactable
  (Session info: headless chrome=108.0.5359.98)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/zap/zap_auth.py", line 83, in authenticate
    self.login()
  File "/zap/zap_auth.py", line 208, in login
    self.fill_password()
  File "/zap/zap_auth.py", line 256, in fill_password
    return self.find_and_fill_element(self.config.auth_password,
  File "/zap/zap_auth.py", line 274, in find_and_fill_element
    element.clear()
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 95, in clear
    self._execute(Command.CLEAR_ELEMENT)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute
    return self._parent.execute(command, params)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute
    self.error_handler.check_response(response)
  File "/usr/local/lib/python3.9/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
    raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.ElementNotInteractableException: Message: element not interactable
  (Session info: headless chrome=108.0.5359.98)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/zap/auth_hook.py", line 29, in zap_started
    auth.authenticate(zap, target)
  File "/zap/zap_auth.py", line 103, in authenticate
    if self.auth_fail_on_error:
AttributeError: 'ZapAuth' object has no attribute 'auth_fail_on_error'
2022-12-15 09:10:09,896 error in zap_started: None```

I've successfully scan with other login page (not with hidden password field), until I found this blockers. Any suggestions to handle this?

[dicksnel]

Hi, I don't think this will work because Selenium can only fill elements that a user with a browser can fill.

A solution would be to make the field not hidden, or to execute some Javascript to fill the element. Example:

j.executeScript("document.getElementById('password').value='pass';");