yeukhon
commented
11 years ago We have attempted to do the same as #11 by using set_login_url. For very very simple site like the following, this works.
from flask import Flask, make_response, request
app = Flask(__name__)
def check(auth):
if auth.username == 'user' and auth.password == 'pwd':
return True
else:
return False
@app.route('/', methods=['GET', 'POST'])
def root():
m = make_response('hello')
m.headers['WWW-Authenticate'] = 'Basic realm="Restricted Area"'
m.status_code = 401
auth = request.authorization
print type(request.data)
print request.authorization
if not auth or not check(auth):
return m
else:
return make_response('good')
@app.route('/form', methods=['GET', 'POST'])
def form():
f = """\
<html>
<body>
<form method="post" action="/form">
User: <input type="text" name="username" size="12" /> <br />
Password: <input type="text" name="password" size="12" /> <br />
<input type="submit" value="login" />
</form>
</body>
</html>
"""
if request.method == 'POST':
print request.form['username']
print request.form['password']
if request.form['username'] == 'user' and request.form['password'] == 'pwd':
return make_response('good')
else:
return make_response('bad')
else:
return make_response(f)
if __name__ == '__main__':
# app.run('0.0.0.0')
app.run()
But for more complicated forms, usually those involving csrf token, this will not work. We are also investigating cookie-based.
Form-auth is not so easy directly via the API.
Steps to come up with solution:
- Setup a wordpress instance
- Manually do https://groups.google.com/forum/#!topic/zaproxy-develop/q56_g2g1t38
- Try httpsession in python
- Do this to site such as bugzilla, or addon.mozilla.org
- Find a balance
I have done step 1 and step 2. I was testing 3 but that required me to upgrade zap python api client to the latest version (including buillding one myself). I will try again tomorrow.
afeld
We would like to login websites using zap by doing form-based authentication.