Closed rafalmeisel closed 1 year ago
Hi, could it be that there is an overlay-popup that opens on the login page? CSS class "cdk-overlay-backdrop" seems to indicate some overlay is active.
Hello @dicksnel,
Thank you for your message. I apologize for this delay. Unfortunately, I cannot see any popup windows in Juice Shop login page. You can see my problem on this page: https://juice-shop.herokuapp.com/#/login
Moreover, I tried to:
cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing
However either 1 and 2 option didn't work.
In free time I will try to investigate this issue more. Currently I don't know if it issue of Owasp Zap or Selenium itself, ICTU script seems to work fine and can find this "Submit" button without the issues.
Best regards, Rafał Meisel
@rafalmeisel I started JuiceShop myself and on the first visit, a Welcome message popup is shown. So this probably causes your exception:
Perhaps we can implement a solution to check for exception "is not clickable at point" when clicking submit. And then press Escape to close any possible popup and try to submit again.
Fixed in 8eabe0012a367bc73f8440a62a9d546812cc40b3
Hello,
I am currently working on setting up OWASP ZAP docker baseline authenticated scans with OWASP Juice Shop.
I'm using two docker images:
I configured zap2docker with below configuration (before I created "tester@tester.com" user):
zap-baseline.py -t http://juice-shop:3000/ -r zap-authenticated-baseline-juice-shop-report.html -I -d -j -m 60 \ --hook=/zap/auth_hook.py \ -z "auth.loginurl=http://juice-shop:3000/#/login \ auth.username="tester@tester.com" \ auth.password="tester" \ auth.username_field="email" \ auth.password_field="password" \ auth.submit_field="loginButton""
As result, I got this error:
zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,857 Finished Request zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 83, in authenticate zap-authenticated-juice-shop-attacker_1 | self.login() zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 225, in login zap-authenticated-juice-shop-attacker_1 | self.submit_form(self.config.auth_submitaction, zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 243, in submit_form zap-authenticated-juice-shop-attacker_1 | element.click() zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 80, in click zap-authenticated-juice-shop-attacker_1 | self._execute(Command.CLICK_ELEMENT) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute zap-authenticated-juice-shop-attacker_1 | return self._parent.execute(command, params) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute zap-authenticated-juice-shop-attacker_1 | self.error_handler.check_response(response) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response zap-authenticated-juice-shop-attacker_1 | raise exception_class(message, screen, stacktrace) zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div> zap-authenticated-juice-shop-attacker_1 | (Session info: headless chrome=108.0.5359.124) zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,858 error in authenticate: None zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,858 DELETE http://127.0.0.1:59727/session/bde6fabcf897087133a540fedafd663c {} zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,910 http://127.0.0.1:59727 "DELETE /session/bde6fabcf897087133a540fedafd663c HTTP/1.1" 200 14 zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,910 Finished Request zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 83, in authenticate zap-authenticated-juice-shop-attacker_1 | self.login() zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 225, in login zap-authenticated-juice-shop-attacker_1 | self.submit_form(self.config.auth_submitaction, zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 243, in submit_form zap-authenticated-juice-shop-attacker_1 | element.click() zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 80, in click zap-authenticated-juice-shop-attacker_1 | self._execute(Command.CLICK_ELEMENT) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webelement.py", line 633, in _execute zap-authenticated-juice-shop-attacker_1 | return self._parent.execute(command, params) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/webdriver.py", line 321, in execute zap-authenticated-juice-shop-attacker_1 | self.error_handler.check_response(response) zap-authenticated-juice-shop-attacker_1 | File "/home/zap/.local/lib/python3.9/site-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response zap-authenticated-juice-shop-attacker_1 | raise exception_class(message, screen, stacktrace) zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div> zap-authenticated-juice-shop-attacker_1 | (Session info: headless chrome=108.0.5359.124) zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | During handling of the above exception, another exception occurred: zap-authenticated-juice-shop-attacker_1 | zap-authenticated-juice-shop-attacker_1 | Traceback (most recent call last): zap-authenticated-juice-shop-attacker_1 | File "/zap/auth_hook.py", line 29, in zap_started zap-authenticated-juice-shop-attacker_1 | auth.authenticate(zap, target) zap-authenticated-juice-shop-attacker_1 | File "/zap/zap_auth.py", line 103, in authenticate zap-authenticated-juice-shop-attacker_1 | if self.auth_fail_on_error: zap-authenticated-juice-shop-attacker_1 | AttributeError: 'ZapAuth' object has no attribute 'auth_fail_on_error' zap-authenticated-juice-shop-attacker_1 | 2023-02-02 11:02:38,914 error in zap_started: None
The most interesting in above log is this part:
zap-authenticated-juice-shop-attacker_1 | selenium.common.exceptions.ElementClickInterceptedException: Message: element click intercepted: Element <button _ngcontent-jyq-c160="" type="submit" id="loginButton" mat-raised-button="" color="primary" aria-label="Login" class="mat-focus-indicator mat-raised-button mat-button-base mat-primary">...</button> is not clickable at point (960, 421). Other element would receive the click: <div class="cdk-overlay-backdrop cdk-overlay-dark-backdrop cdk-overlay-backdrop-showing"></div>
Probably issue As far as I know, this error occurs, when Selenium did not find an element on a page because page has not yet loaded.
Suggested solution Add Extra authentication parameters as "wait_for_load" where user specify number of seconds to wait before performing Authentication.
Question I will be grateful to provide information if this issue could be resolve with other solution.