Closed GoogleCodeExporter closed 9 years ago
Was "Forced User Mode" [1] enabled before step 5?
Is the authentication working with other components? (e.g. spider, manual
requests, proxied requests, ...)
If the authentication is working with other components, could you try again
with the latest weekly release [1]? This might be a duplicate of Issue 1291.
[1]
https://code.google.com/p/zaproxy/wiki/HelpUiTltoolbar#/_Force_User_Mode_On_/_Of
f
[2] https://code.google.com/p/zaproxy/wiki/Downloads#ZAP_Weekly
Original comment by THC...@gmail.com
on 19 Sep 2014 at 8:00
>weekly release [1]
should be:
weekly release [2]
Original comment by THC...@gmail.com
on 19 Sep 2014 at 8:02
Thank you for your comments.
I will check your advise as soon as possible.
Original comment by iehiro.s...@gmail.com
on 19 Sep 2014 at 8:06
Hi team,
Force User Mode is ON. But it also "Force Usermode is Off" is same result.
Spider scan feedback below;
Processed : Green
Method : Get
Flags : SEED
I think my configuration is not correct.
Do you have any advise for me?
Original comment by iehiro.s...@gmail.com
on 19 Sep 2014 at 8:15
So, you're getting 401 responses with the spider too?
Could you try without the domain ("Domain\") in the user name?
Original comment by THC...@gmail.com
on 19 Sep 2014 at 8:33
Note that you should use the weekly release in any case otherwise you might get
the 401 responses even with the authentication correctly configured.
Original comment by THC...@gmail.com
on 19 Sep 2014 at 8:48
Thank you for you support.
I tried without the domain. But I got same result.
Spider screen does not show any code.
I will try to latest release.
I will let you know the result.
Original comment by iehiro.s...@gmail.com
on 19 Sep 2014 at 8:55
Hi team,
I tried this on latest release of 9-15.
I'm sorry but I got same result.
Do you have furthor more item to I should try?
Best regards,
Original comment by iehiro.s...@gmail.com
on 19 Sep 2014 at 10:12
The only way to check what's wrong, now, is by looking at the the wire log as
it contains all the data exchanged during the authentication (if it's really
trying to authenticate).
To enable the wire log you need to do the following modifications to
log4j.properties file (located in ZAP's default directory or the directory
manually specified [1]):
The following line has to be added:
log4j.logger.httpclient.wire.header=DEBUG
and the following line changed:
log4j.logger.org.apache.commons.httpclient=ERROR
replace ERROR with DEBUG.
The log will contain the content of the HTTP request/response headers and other
useful debug messages which should help identify the issue.
Note that you might need to remove/obfuscate any sensitive information.
After enabling the wire log you need to spider/active scan again (which should
reproduce the authentication failures) and provide the file zap.log (attached
here or by other means).
The file zap.log is located in the same directory as the log4j.properties file.
[1] https://code.google.com/p/zaproxy/wiki/FAQconfig
Original comment by THC...@gmail.com
on 19 Sep 2014 at 11:05
Thank you for your supporting us.
Here are Zap.log after changing log4j.properties;
---------------------------------------------
2014-09-23 01:49:12,783 INFO PluginFactory - loaded plugin Path Traversal
2014-09-23 01:49:12,783 INFO PluginFactory - loaded plugin Remote File
Inclusion
2014-09-23 01:49:12,783 INFO PluginFactory - loaded plugin Server side include
2014-09-23 01:49:12,784 INFO PluginFactory - loaded plugin Cross Site
Scripting (Reflected)
2014-09-23 01:49:12,784 INFO PluginFactory - loaded plugin Cross Site
Scripting (Persistent)
2014-09-23 01:49:12,784 INFO PluginFactory - loaded plugin SQL Injection
2014-09-23 01:49:12,784 INFO PluginFactory - loaded plugin Server Side Code
Injection Plugin
2014-09-23 01:49:12,785 INFO PluginFactory - loaded plugin Remote OS Command
Injection Plugin
2014-09-23 01:49:12,785 INFO PluginFactory - loaded plugin Directory browsing
2014-09-23 01:49:12,785 INFO PluginFactory - loaded plugin Secure page browser
cache
2014-09-23 01:49:12,785 INFO PluginFactory - loaded plugin External redirect
2014-09-23 01:49:12,786 INFO PluginFactory - loaded plugin CRLF injection
2014-09-23 01:49:12,786 INFO PluginFactory - loaded plugin Parameter tampering
2014-09-23 01:49:12,786 INFO PluginFactory - loaded plugin Cross Site
Scripting (Persistent) - Prime
2014-09-23 01:49:12,786 INFO PluginFactory - loaded plugin Cross Site
Scripting (Persistent) - Spider
2014-09-23 01:49:12,787 INFO PluginFactory - loaded plugin Script active scan
rules
2014-09-23 01:49:12,787 INFO Scanner - scanner started
2014-09-23 01:49:12,841 INFO HostProcess - start host http://xxx.yyy.zzz |
TestPathTraversal strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,851 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestPathTraversal in 0.009s
2014-09-23 01:49:12,852 INFO HostProcess - start host http://xxx.yyy.zzz |
TestRemoteFileInclude strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,855 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestRemoteFileInclude in 0.003s
2014-09-23 01:49:12,855 INFO HostProcess - start host http://xxx.yyy.zzz |
TestServerSideInclude strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,858 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestServerSideInclude in 0.003s
2014-09-23 01:49:12,859 INFO HostProcess - start host http://xxx.yyy.zzz |
TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,862 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestCrossSiteScriptV2 in 0.003s
2014-09-23 01:49:12,862 INFO HostProcess - start host http://xxx.yyy.zzz |
TestSQLInjection strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,865 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestSQLInjection in 0.003s
2014-09-23 01:49:12,865 INFO HostProcess - start host http://xxx.yyy.zzz |
CodeInjectionPlugin strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,869 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | CodeInjectionPlugin in 0.003s
2014-09-23 01:49:12,869 INFO HostProcess - start host http://xxx.yyy.zzz |
CommandInjectionPlugin strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,872 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | CommandInjectionPlugin in 0.003s
2014-09-23 01:49:12,873 INFO HostProcess - start host http://xxx.yyy.zzz |
TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,944 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestDirectoryBrowsing in 0.071s
2014-09-23 01:49:12,952 INFO HostProcess - start host http://xxx.yyy.zzz |
TestClientBrowserCache strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,956 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestClientBrowserCache in 0.004s
2014-09-23 01:49:12,956 INFO HostProcess - start host http://xxx.yyy.zzz |
TestExternalRedirect strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,959 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestExternalRedirect in 0.003s
2014-09-23 01:49:12,960 INFO HostProcess - start host http://xxx.yyy.zzz |
TestInjectionCRLF strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,963 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestInjectionCRLF in 0.003s
2014-09-23 01:49:12,963 INFO HostProcess - start host http://xxx.yyy.zzz |
TestParameterTamper strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,966 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestParameterTamper in 0.003s
2014-09-23 01:49:12,966 INFO HostProcess - start host http://xxx.yyy.zzz |
TestPersistentXSSPrime strength MEDIUM threshold MEDIUM
2014-09-23 01:49:12,969 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestPersistentXSSPrime in 0.002s
2014-09-23 01:49:12,970 INFO HostProcess - start host http://xxx.yyy.zzz |
TestPersistentXSSSpider strength MEDIUM threshold MEDIUM
2014-09-23 01:49:13,006 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestPersistentXSSSpider in 0.036s
2014-09-23 01:49:13,012 INFO HostProcess - start host http://xxx.yyy.zzz |
TestPersistentXSSAttack strength MEDIUM threshold MEDIUM
2014-09-23 01:49:13,025 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | TestPersistentXSSAttack in 0.013s
2014-09-23 01:49:13,025 INFO HostProcess - start host http://xxx.yyy.zzz |
ScriptsActiveScanner strength MEDIUM threshold MEDIUM
2014-09-23 01:49:13,028 INFO HostProcess - completed host/plugin
http://xxx.yyy.zzz | ScriptsActiveScanner in 0.002s
2014-09-23 01:49:13,030 INFO HostProcess - completed host http://xxx.yyy.zzz
in 0.242s
2014-09-23 01:49:13,035 INFO Scanner - scanner completed in 0.248s
-------------------------
I also checked IIS log files;
It seems ZAP doesn't use any user infomation;
Here is IIS log
---------------------------------------------
2014-09-22 16:45:56 W3SVC1 192.168.100.3 GET /2180597202745312346 - 80 -
126.15.49.235 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;) 401 2
2148074254
2014-09-22 16:45:56 W3SVC1 192.168.100.3 GET / - 80 - 126.15.49.235
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;) 401 2 2148074254
2014-09-22 16:45:56 W3SVC1 192.168.100.3 GET /pagerror.gif/ - 80 -
126.15.49.235 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;) 401 2
2148074254
2014-09-22 16:45:56 W3SVC1 192.168.100.3 GET / - 80 - 126.15.49.235
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;) 401 2 2148074254
2014-09-22 16:45:56 W3SVC1 192.168.100.3 GET /pagerror.gif - 80 - 126.15.49.235
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;) 401 2 2148074254
Do you have any further information?
Best regards,
Original comment by iehiro.s...@gmail.com
on 22 Sep 2014 at 5:08
I forgot to ask this before, did you set the target application in "Include in
context"? Otherwise ZAP will not even try to authenticate.
Regarding the log, are you sure that you changed the correct log4j.properties
file? I'm asking because the log does not contain the request/response headers
nor other expected info.
It should contain something like:
2014-09-25 10:11:12,130 DEBUG DefaultHttpParams - Set parameter
http.protocol.cookie-policy = ignoreCookies
2014-09-25 10:11:12,130 DEBUG HttpSender - sendAndReceive GET
http://xxx.yyy.zzz/ start
2014-09-25 10:11:12,130 INFO User - Authenticating user: demo1
2014-09-25 10:11:12,130 DEBUG HttpSender - Sending message to:
http://xxx.yyy.zzz/
2014-09-25 10:11:12,130 DEBUG DefaultHttpParams - Set parameter
http.protocol.version = HTTP/1.0
2014-09-25 10:11:12,130 DEBUG DefaultHttpParams - Set parameter
http.protocol.version = HTTP/1.1
2014-09-25 10:11:12,130 DEBUG DefaultHttpParams - Set parameter
http.protocol.cookie-policy = compatibility
2014-09-25 10:11:12,130 DEBUG MultiThreadedHttpConnectionManager -
HttpConnectionManager.getConnection: config =
HostConfiguration[host=http://xxx.yyy.zzz, proxyHost=http://localhost:42381],
timeout = 0
2014-09-25 10:11:12,130 DEBUG MultiThreadedHttpConnectionManager - Allocating
new connection, hostConfig=HostConfiguration[host=http://xxx.yyy.zzz,
proxyHost=http://localhost:42381]
2014-09-25 10:11:12,130 DEBUG HttpConnection - Open connection to
localhost:42381
2014-09-25 10:11:12,130 DEBUG header - >> "GET http://xxx.yyy.zzz/
HTTP/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Adding Host request header
2014-09-25 10:11:12,130 DEBUG header - >> "User-Agent: Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept-Language:
en-GB,en;q=0.5[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Host: xxx.yyy.zzz[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Proxy-Connection: Keep-Alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "WWW-Authenticate: NTLM[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Date: Thu, 25 Sep 2014 09:52:52
GMT[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Server: TEST/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Content-Length: 0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authorization required
2014-09-25 10:11:12,130 DEBUG AuthChallengeProcessor - Supported authentication
schemes in the order of preference: [ntlm, digest, basic, ntlm]
2014-09-25 10:11:12,130 INFO AuthChallengeProcessor - ntlm authentication
scheme selected
2014-09-25 10:11:12,130 DEBUG AuthChallengeProcessor - Using authentication
scheme: ntlm
2014-09-25 10:11:12,130 DEBUG AuthChallengeProcessor - Authorization challenge
processed
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authentication scope: NTLM
<any realm>@xxx.yyy.zzz:80
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Retry authentication
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Should NOT close connection in
response to directive: keep-alive
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authenticating with NTLM
<any realm>@xxx.yyy.zzz:80
2014-09-25 10:11:12,130 DEBUG header - >> "GET http://xxx.yyy.zzz/
HTTP/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Adding Host request header
2014-09-25 10:11:12,130 DEBUG header - >> "User-Agent: Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept-Language:
en-GB,en;q=0.5[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Proxy-Connection: Keep-Alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Authorization: NTLM
TlRMTVNTUAABAAAAAYIIogAAAAAoAAAAAAAAACgAAAAFASgKAAAADw==[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Host: xxx.yyy.zzz[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAADgAAAABggiikUFKDRT7Uj8AAAAAAAAAAAAAAAA4AAAABgEAAAAAAA8=[\r]
[\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Date: Thu, 25 Sep 2014 09:52:52
GMT[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Server: TEST/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Content-Length: 0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authorization required
2014-09-25 10:11:12,130 DEBUG AuthChallengeProcessor - Using authentication
scheme: ntlm
2014-09-25 10:11:12,130 DEBUG AuthChallengeProcessor - Authorization challenge
processed
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authentication scope: NTLM
<any realm>@xxx.yyy.zzz:80
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Retry authentication
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Should NOT close connection in
response to directive: keep-alive
2014-09-25 10:11:12,130 DEBUG HttpMethodDirector - Authenticating with NTLM
<any realm>@xxx.yyy.zzz:80
2014-09-25 10:11:12,130 DEBUG header - >> "GET http://xxx.yyy.zzz/
HTTP/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Adding Host request header
2014-09-25 10:11:12,130 DEBUG header - >> "User-Agent: Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Accept-Language:
en-GB,en;q=0.5[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Proxy-Connection: Keep-Alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEgAAAAYABgAYAAAAAYABgB4AAAACgAKAH4AAAAIAAgAiAAAAAAAAACQAAAA
AYIIogUBKAoAAAAPmnAvYT0nhF4AAAAAAAAAAAAAAAAAAAAAKWs8XYsbKCwGCrlmSBvXo3QrVEbBAyQh
WABYAFgAZABlAG0AbwAxAE0AYQByAHMA[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "Host: xxx.yyy.zzz[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - >> "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 200 OK[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "HTTP/1.1 200 OK[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Connection: keep-alive[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Date: Thu, 25 Sep 2014 09:52:52
GMT[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Server: TEST/1.1[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "Content-Length: 0[\r][\n]"
2014-09-25 10:11:12,130 DEBUG header - << "[\r][\n]"
2014-09-25 10:11:12,130 DEBUG DefaultHttpParams - Set parameter
http.protocol.cookie-policy = ignoreCookies
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Buffering response body
2014-09-25 10:11:12,130 DEBUG HttpMethodBase - Should NOT close connection in
response to directive: keep-alive
2014-09-25 10:11:12,130 DEBUG HttpConnection - Releasing connection back to
connection manager.
2014-09-25 10:11:12,130 DEBUG MultiThreadedHttpConnectionManager - Freeing
connection, hostConfig=HostConfiguration[host=http://xxx.yyy.zzz,
proxyHost=http://localhost:42381]
2014-09-25 10:11:12,130 DEBUG IdleConnectionHandler - Adding connection at:
1411638772502
2014-09-25 10:11:12,130 DEBUG MultiThreadedHttpConnectionManager - Notifying
no-one, there are no waiting threads
2014-09-25 10:11:12,130 DEBUG HttpSender - SUCCESSFUL
2014-09-25 10:11:12,130 DEBUG HttpSender - sendAndReceive GET
http://xxx.yyy.zzz/ took 89
Original comment by THC...@gmail.com
on 25 Sep 2014 at 10:02
Another thing, in the log shows that you are accessing port 80 but in the
configurations you set 443, is that correct? Shouldn't the port be the same
(i.e. 80)?
Original comment by THC...@gmail.com
on 25 Sep 2014 at 10:09
Did you manage to scan your web application iehiro? I'm dealing with the same
issue. Can't scan my web site hosted in IIS even I configure authentication and
username correctly.
Original comment by thuansol...@gmail.com
on 26 Oct 2014 at 6:33
ZAP has been migrated to github
This issue will be on github issues with the same ID:
https://github.com/zaproxy/zaproxy/issues
Original comment by psii...@gmail.com
on 5 Jun 2015 at 9:17
Original issue reported on code.google.com by
iehiro.s...@gmail.com
on 19 Sep 2014 at 7:30Attachments: