ZAP Ajax spider authentication not working using ZEST

Question

Followed following steps: 1. Record ZEST script (tested to be working) 2. Include site in context 3. Add user 4. Select forced user 5. Upload script and select script based authentication 6. Define logout indicator 7. Exclude logout from spider 8. Run Ajax spider selecting context and user

What did I miss?

score 1 · Answer 1 · answered Sep 29 '16 at 17:53

1

I realized it's a bug with the technique in which I was creating the ZEST script. If we start the recording directly, and select authentication script, it does not automatically populate all parameters and login url option. Scripts --> New script --> Authentication --> Create new script and save --> Now start recording makes it work. Also, need to Edit --> Enable Session tracking to help make it persistent.

answered Sep 29 '16 at 17:53

user3399273

139
1
11

Thanks for letting us know :) – Simon Bennetts Sep 30 '16 at 08:27

score 0 · Answer 2 · answered Sep 27 '16 at 08:27

0

We detail some ways to diagnose authentication issues here: https://github.com/zaproxy/zaproxy/wiki/FAQformauth :

If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all of the above steps.

If you have enable forced user mode and are still not logged in when you access your application then look at the requests in the History tab:

If there is no login request then you have probably not chosen a suitable "logged in/out" indicator, try changing it and trying again
If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests

If you need to make multiple requests to login then the best option is to record a Zest authentication script and to test this in isolation first.

answered Sep 27 '16 at 08:27

Simon Bennetts

5,479
1
14
26

I have forced user mode enabled, regex patterns could be a problem. I tried a bunch though: `\QLogout\E` `\QLogin\E` `\Qlogout\E` `\Qlogin\E` for Logged in response and logged out response respectively. I tested the ZEST script to be working as well. Trying this on bodgeit. – user3399273 Sep 28 '16 at 15:11
The authentication attempt is never being made. – user3399273 Sep 28 '16 at 15:17
Form-based works. It's the ZEST which I need to be working. I noticed this error in the script console: `org.apache.commons.httpclient.URIException: URI-Reference requiredorg.apache.commons.httpclient.URIException: URI-Reference required` – user3399273 Sep 28 '16 at 20:19
Is there a stack trace? Might be better to open an issue (either on Zest or ZAP) just so that we can track it... – Simon Bennetts Sep 29 '16 at 15:26
I realized it's a bug with the technique in which I was creating the ZEST script. If we start the recording directly, and select authentication script, it does not automatically populate all parameters and login url option. Scripts --> New script --> Authentication --> Create new script and save --> Now start recording makes it work. Also, need to Edit --> Enable Session tracking to help make it persistent. – user3399273 Sep 29 '16 at 17:52

ZAP Ajax spider authentication not working using ZEST

2 Answers2