yeukhon
commented
11 years ago I have attempted to do basic authentication via the following code:
from zapv2 import ZAPv2 as zap
z = zap(proxies={'http': 'http'://127.0.0.1:9999'})
z.context.new_context()
z.auth.set_login_url(1, 'http://127.0.0.1:5000/', postdata='username=user&password=pwd')
z.auth.set_login_indicator(1, 'you are logged in')
z.auth.login(1)But the code will return false.
So postdata submits strings, so apps like Flask cannot regonize that if Flask uses request.authorization which is really the correct method here. Therefore, sites that uses basic auth can't login with postdata either.
It also turns out that, according to @psiinon, the python api doesn't have the proper power to do basic auth either. The two ways possible:
- populate stdin with user's supplied username and password and call
`z.urlopen(url). This method call will trigger a prompt. We can redirect the populated stdin. That should work. - for each scan, we create a profile for the scan by inserting
<auth>...</auth>in config.xml. https://gist.github.com/yeukhon/afb460491fe591553bc3
I believe we are after the 2nd method, using profile to perform login.
Sites that send
www-authenticateheaders will prompt or expect basic auth. Example sites from mozilla are intranet and ldap.