search

ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Apps Scan for SharePoint 2013 Web Application with NTLM Authentication #1602

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi OWASP ZAP team,

I would like to scan my web application which is developed by SharePoint 2013. 
The web application requires Windows authentication (Active Directory) or 
Form-based authentication to scan unless the scan result isn't correct. I tried 
to use "Spider" with user to attack the SharePoint application, however I found 
that the scan cannot drill into the details due to the failure of 
authentication.

What steps will reproduce the problem?
1.Open Session Properties, from the Include in context, type the URL (e.g. 
iportal.sharepoint.com
2.In Authentication setting, 
  - Select HTTP/NTLM Authentication. 
  - Hostname: iportal.sharepoint.com
  - Port: 443
  - Realm: {AD Domain}
3.In Users setting:
  - Add a new user with administration privileges
  - Username: Test user
  - Enabled: Yes
  - Username: {AD Domain}\username
  - Password: password
4. In Forced User setting
  - Select user (microsoft\farm)
5. In Session Management
  - Select http Authentication Session Management
6. Type the URL iportal.sharepoint.com in URL to attack and click Attack button
7. Progress displays message: Failed to attack the URL, please check that the 
URL you specify is valid.

What is the expected output? What do you see instead?
I would expect to see the tool can connect and crawl my web application with 
specified realm. I can even see anything happening after clicking Attack button.

What version of the product are you using? On what operating system?
I'm using OWASP ZAP version 2.4.0. My web application is hosted in IIS 8 
Windows Server 2012

Please provide any additional information below.
Please correct me if I'm missing something. Note that I'm new to this tool.

Thank you very much for your help.

Original issue reported on code.google.com by kanki...@gmail.com on 16 Apr 2015 at 7:09

GoogleCodeExporter commented 9 years ago 
In step 1, the regular expression should include all the pages of interest. For 
example, to match all pages under https://iportal.sharepoint.com/ it can be 
used the following regular expression:
\Qhttps://iportal.sharepoint.com\E.*
Otherwise sub-pages will not be in the defined context and no authentication is 
attempted.

In step 3, the username shouldn't need the domain, so you should also try 
without it.

Did you enable "Forced User" mode [1] before step 6?

Would you mind updating the regular expression and give it another try? It it 
keeps failing try send a manual request [1] to the provided attack URL with 
forced user mode enabled and check the status code of the response. The quick 
start requires 200 status code.

[1] 
https://code.google.com/p/zaproxy/wiki/HelpUiTltoolbar#/_Force_User_Mode_On_/_Of
f
[2] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsMan_req

Original comment by THC...@gmail.com on 16 Apr 2015 at 2:05

GoogleCodeExporter commented 9 years ago 
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18