Spider with included credential in NTLM/Kerberos

[GoogleCodeExporter]

Hello ZAP team,

I have an ASP.NET website using Active Directory (for authorized user only). 
The application is configured to use Kerberos authentication. I've used ZAP to 
scan my website many times but I can't seem to get it work in any way. Every 
time I click attack, the output is "No indicators have been set for identify 
authentication. Assuming response is authenticated for 
http://intranet.corp.com/ims"

What steps will reproduce the problem?
1.Open ZAP > Session Properties.
2.In Include in context setting, type \Qhttp://intranet.corp.com/ims\E
3.In Authentication setting, select HTTP/NTLM Authentication
  - In Hostname setting, type http://intranet.corp.com/ims.
  - In Port setting, type 80
  - In Realm setting, type CORP\administrator
4.In Users setting, add a new user with the following information
  - Username: administrator
  - Enabled: (checked)
  - Username: corp\administrator
  - Password: 123456
5.In Forced User setting, select the user I just created (step 4)
6.In Session Management setting, select Http Authentication Session Management
7.Open Tool > Options > Local proxy. Use 127.0.0.1 and port 8080.
8.Open Internet Explorer an configure to use the above proxy
9.Use Spider to crawl the website.

What is the expected output? What do you see instead?
I wanted the spider to crawl all URLs in my website with my given credential. 
However, the spider can't seem to crawl all. I have to browse each URL in order 
for ZAP to add to the Sites. 

What version of the product are you using? On what operating system?
ZAP 2.4.0. The tool ran in Windows Server 2012 R2. The latest Java version is 
installed.

Please provide any additional information below.

Original issue reported on code.google.com by thuansol...@gmail.com on 13 May 2015 at 3:38

[GoogleCodeExporter]

That message means that no "Logged In/Out" indicator [1] was added in the 
"Authentication" panel (the two fields at the bottom).
If both are empty ZAP assumes that the message is already authenticated and no 
authentication is performed.

Note that the regex used in the "Include in context" does not include 
sub-pages. The authentication will be performed only when accessing that exact 
URL.

[1] https://code.google.com/p/zaproxy/wiki/HelpStartConceptsAuthentication

Original comment by THC...@gmail.com on 13 May 2015 at 4:07

[GoogleCodeExporter]

Can you please give your advice on how to include given credential for spider 
to scan? What is the correct regex that I can use to crawl the sub-pages 
(http://intranet.corp.com/ims)

Thank you very much for your support.

Original comment by thuansol...@gmail.com on 14 May 2015 at 8:26

[GoogleCodeExporter]

You can include all sub-pages with the following regex:
\Qhttp://intranet.corp.com/ims\E.*

btw, are you specifying the user in the "Spider" [1] dialogue or enabling 
"Forced User" mode [2] ?
I would suggest the former as it affects just the spider (instead of all 
messages sent/proxied by ZAP).

[1] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsSpider
[2] 
https://code.google.com/p/zaproxy/wiki/HelpUiTltoolbar#/_Force_User_Mode_On_/_Of
f

Original comment by THC...@gmail.com on 14 May 2015 at 9:24

[GoogleCodeExporter]

Sorry I'm pretty new to ZAP. Like any crawler, I would like ZAP spider to learn 
my website and crawl all URLs. Can I have both Spider and Forced User? Or I 
have to disable Force User to use Spider.

Original comment by thuansol...@gmail.com on 14 May 2015 at 1:04

[GoogleCodeExporter]

Yes, you can, the "Forced User" will make the spider send the requests from the 
perspective of the selected user.

I was only suggesting selecting the user in the spider dialogue as it gives 
more flexibility, as while the spider runs you can still test the app 
(manually, active scan, fuzzer...) using other users (or unauthenticated) 
without interferences from the forced user settings.

Original comment by THC...@gmail.com on 14 May 2015 at 3:12

[GoogleCodeExporter]

From Authentication setting, I select HTTP/NTLM Authentication with the 
following info below
  - In Hostname setting, type http://intranet.corp.com/ims.
  - In Port setting, type 80
  - In Realm setting, type CORP\administrator

However in the Regex pattern identified in Logged In/Logged Out response 
message, what do I have to enter? Can I leave them blank? Please give sample 
and your advice.

Original comment by thuansol...@gmail.com on 17 May 2015 at 6:23

[GoogleCodeExporter]

Is there anyone that can help me answer the last question about Regex?
Thank you.

Original comment by thuansol...@gmail.com on 24 May 2015 at 2:38

[GoogleCodeExporter]

Sorry, this was on todo list.

At least one of the fields must be filled.
You should enter in the "Logged In" regex something that identifies the user as 
logged in. For example, you can enter the text shown to the user to log out, 
e.g. Sign out
Or enter in the "Logged Out" regex the text that's shown to log in, e.g. Sign in

Original comment by THC...@gmail.com on 24 May 2015 at 2:58

[GoogleCodeExporter]

ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18

• Changed state: Done