search

mozilla / minion-zap-plugin

Minion ZAP Plugin
14 stars 8 forks source link

Is session based auth supported? #48

Open joekir opened 8 years ago

joekir commented 8 years ago

If I set session tokens as in this example https://github.com/mozilla/minion-zap-plugin#options

The tokens do get set via https://github.com/mozilla/minion-zap-plugin/blob/master/minion/plugins/zap/zap_plugin.py#L59

But its clear the cookie usage has failed, as I see an access denied on the test site I use to verify cookie auth. This is the error I receive in the logs:

ERROR HttpSender - java.lang.NullPointerException at org.zaproxy.zap.session.CookieBasedSessionManagementHelper.processMes sageToMatchSession(Unknown Source) at org.zaproxy.zap.extension.httpsessions.HttpSessionsSite.processHttpRe questMessage(Unknown Source) at org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions.onHttpRequestSend(Unknown Source) at org.parosproxy.paros.network.HttpSender.notifyRequestListeners(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.zaproxy.zap.spider.SpiderTask.fetchResource(Unknown Source) at org.zaproxy.zap.spider.SpiderTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)

I note that from dumping the session cookie info from the REST API /UI/httpSessions/view/sessionTokens/ for the target site ('Session 0'), that the cookie being set has path set to '' instead of '/', I'm wondering is this corrected further into ZAP? (as if its not corrected then that cookie will not work for a target site)

example of one of the tokens from that API call:

{'sessionid': {'comment': '', 'domain': '', 'secure': False, 'name': 'sessionid', 'persistent': False, 'value': '8897fc4b25bd99de081dd3410394a1f56354c343', 'expiryDate': None, 'domainAttributeSpecified': False, 'version': 0, 'path': '', 'expired': False, 'pathAttributeSpecified': False}

As far as I could tell, there's no API option for setting that path variable.

I'm using ZAP 2.4.3 with Minion. Some insight into this issue would be much appreciated.

Cheers, Joe

joekir commented 8 years ago

Some further info on this issue.

When scanning a site that issues one of the default httpsession cookies that ZAP is aware of in config. e.g. sessid, jsessionid, phpsessid

If the site issues one of those tokens, when first being hit self.zap.urlopen(target)

Then a httpsession is provisions successfully. Progressing from there, in minion-zap-plugin you can add your other session cookies and the scan works as required.

So the remaining question is how can we provision the httpsession, without the site being required to issue one of the listed tokens, before login? (as there are still many sites that behave like that)

ckcollins commented 8 years ago

Hi @joekir I noticed the Minion ZAP plugin only supports up to ZAP 2.4.2. Is it possible there is an incompatibility issue with the later API?