search

ICTU / zap2docker-auth-weekly

Zap baseline scanner in Docker with authentication
Apache License 2.0
104 stars 70 forks source link

OWASP Juice Shop Login - [loginButton] Element is not clickable at point. Other element would receive the click. #61

Closed rafalmeisel closed 1 year ago

rafalmeisel commented 1 year ago

Hello,

I am currently working on setting up OWASP ZAP docker baseline authenticated scans with OWASP Juice Shop.

I'm using two docker images:

I configured zap2docker with below configuration (before I created "tester@tester.com" user):

zap-baseline.py -t http://juice-shop:3000/ -r zap-authenticated-baseline-juice-shop-report.html -I -d -j -m 60 \ --hook=/zap/auth_hook.py \ -z "auth.loginurl=http://juice-shop:3000/#/login \ auth.username="tester@tester.com" \ auth.password="tester" \ auth.username_field="email" \ auth.password_field="password" \ auth.submit_field="loginButton""

As result, I got this error:

zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,857 Finished Request zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 83, in authenticate zap-authenticated-juice-shop-attacker_1 | self.login() zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 225, in login zap-authenticated-juice-shop-attacker_1 | self.submit_form(self.config.auth_submitaction, zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 243, in submit_form zap-authenticated-juice-shop-attacker_1 | element.click() zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 80, in click zap-authenticated-juice-shop-attacker_1 | self._execute(Command.CLICK_ELEMENT) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute zap-authenticated-juice-shop-attacker_1 | return self._parent.execute(command, params) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute zap-authenticated-juice-shop-attacker_1 | self.error_handler.check_response(response) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response zap-authenticated-juice-shop-attacker_1 | raise exception_class(message, screen, stacktrace) zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div> zap-authenticated-juice-shop-attacker_1 | (Session info: headless chrome=108.0.5359.124) zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,858 error in authenticate: None zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,858 DELETE http://127.0.0.1:59727/session/bde6fabcf897087133a540fedafd663c {} zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,910 http://127.0.0.1:59727 "DELETE /session/bde6fabcf897087133a540fedafd663c HTTP/1.1" 200 14 zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,910 Finished Request zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 83, in authenticate zap-authenticated-juice-shop-attacker_1 | self.login() zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 225, in login zap-authenticated-juice-shop-attacker_1 | self.submit_form(self.config.auth_submitaction, zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 243, in submit_form zap-authenticated-juice-shop-attacker_1 | element.click() zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 80, in click zap-authenticated-juice-shop-attacker_1 | self._execute(Command.CLICK_ELEMENT) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute zap-authenticated-juice-shop-attacker_1 | return self._parent.execute(command, params) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute zap-authenticated-juice-shop-attacker_1 | self.error_handler.check_response(response) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response zap-authenticated-juice-shop-attacker_1 | raise exception_class(message, screen, stacktrace) zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div> zap-authenticated-juice-shop-attacker_1 | (Session info: headless chrome=108.0.5359.124) zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | During handling of the above exception, another exception occurred: zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/auth_hook.py", line 29, in zap_started zap-authenticated-juice-shop-attacker_1 | auth.authenticate(zap, target) zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 103, in authenticate zap-authenticated-juice-shop-attacker_1 | if self.auth_fail_on_error: zap-authenticated-juice-shop-attacker_1 | AttributeError: 'ZapAuth' object has no attribute 'auth_fail_on_error' zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,914 error in zap_started: None

The most interesting in above log is this part: zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div>

Probably issue As far as I know, this error occurs, when Selenium did not find an element on a page because page has not yet loaded.

Suggested solution Add Extra authentication parameters as "wait_for_load" where user specify number of seconds to wait before performing Authentication.

Question I will be grateful to provide information if this issue could be resolve with other solution.

dicksnel commented 1 year ago

Hi, could it be that there is an overlay-popup that opens on the login page? CSS class "cdk-overlay-backdrop" seems to indicate some overlay is active.

rafalmeisel commented 1 year ago

Hello @dicksnel,

Thank you for your message. I apologize for this delay. Unfortunately, I cannot see any popup windows in Juice Shop login page. You can see my problem on this page: https://juice-shop.herokuapp.com/#/login

image

Moreover, I tried to:

  1. Modify ICTU code with authentication script to dynamically remove elements with class cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing
  2. Modify ICTU code with authentication script to create dedicated xpath expression to specify submit button

However either 1 and 2 option didn't work.

In free time I will try to investigate this issue more. Currently I don't know if it issue of Owasp Zap or Selenium itself, ICTU script seems to work fine and can find this "Submit" button without the issues.

Best regards, Rafał Meisel

dicksnel commented 1 year ago

@rafalmeisel I started JuiceShop myself and on the first visit, a Welcome message popup is shown. So this probably causes your exception:

image

Perhaps we can implement a solution to check for exception "is not clickable at point" when clicking submit. And then press Escape to close any possible popup and try to submit again.

dicksnel commented 1 year ago

Fixed in 8eabe0012a367bc73f8440a62a9d546812cc40b3