search

ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Authentication doesn't work #1614

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create the new context or use the default one;
2. In session properties set Form-Based authentication method;
3. Set "Login form target URL" (end with slash according to POST method);
4. Set username and password. after save they become like 
"login={%username%}&password={%password%}";
5. Use created user after previous step or a new one;
6. Start the scan for target.

What is the expected output? What do you see instead?
Expected success login using username and password from current user instead of 
brute-forcing login-pass with random values. Even if I set username and 
password like additional arguments of the "Login request POST Data" it doesn't 
help.

What version of the product are you using? On what operating system?
2.4.0 GUI or API from docker or the save version from tar.gz distributive

Please provide any additional information below.

1. Forced user is also selected appropriate;
2. Session Mismanagement is cookie based

Original issue reported on code.google.com by sufferin...@gmail.com on 28 Apr 2015 at 8:15

GoogleCodeExporter commented 9 years ago 
Did you also include [1] the target site in context? Otherwise ZAP will not try 
to authenticate.
In "History" tab do you see any requests tagged with "Authentication" while 
active scanning?

Active scan does not do brute-forcing, what might be happening is that the 
login request is also being used to test for vulnerabilities.
Have you tried exclude [2] the login request from the scan?

[1] 
https://code.google.com/p/zaproxy/wiki/HelpUiDialogsSessionContexts#Include_in_c
ontext
[2] 
https://code.google.com/p/zaproxy/wiki/HelpUiDialogsSessionSessprop#Exclude_from
_scanner

Original comment by THC...@gmail.com on 28 Apr 2015 at 10:19

GoogleCodeExporter commented 9 years ago 
Thank you for reply. Now It works!
I set the "include in context" and "exclude from scanner"

The problem was that in API you have to point out the forced user, which will 
be use for authentication:
forcedUser.setForcedUser
forcedUser.setForcedUserModeEnabled

Original comment by sufferin...@gmail.com on 28 Apr 2015 at 1:50

GoogleCodeExporter commented 9 years ago 
OK, thanks for letting us know.

Right, the active scan should allow to scan as an user like the spider API does.

Original comment by THC...@gmail.com on 28 Apr 2015 at 3:11

GoogleCodeExporter commented 9 years ago 
Issue 1621 has been raised to allow to scan as an user, like the spider API 
does.

Original comment by THC...@gmail.com on 2 May 2015 at 3:33