NTLM authentication in ZAP

Question

I'm trying to do some penetration testing of REST Api using ZAP. Api uses windows authentication [domain\username] and is hosted locally on a specific port. First I did a test using postman to try to connect and make an example request. My config looked like this:

I decided to replicate this setup in OWASP zap. I set up my user:

then I set up authentication options in session properties:

and session management options:

I get Unauthorized and BadRequest responses when tryng to perform Active Scan in ZAP. I tried different user names and ports but it seems that there is some small piece missing in my config. I came across a link on their github page:

HTTP/1.1 401 Unauthorized

but it didn't solve my problem.

How should I set up ZAP to use NTLM authentication? I'm suprised that I was able to set this up in Postman in 5 minutes, but in ZAP it took me two days already and still nothing.

Oh, and not to mention that in C# code it was also 10 minutes of work using default credentials injected into httpclient through httpclienthandler class:

ICredentials credentials = CredentialCache.DefaultCredentials;
var clientHandler = new HttpClientHandler()
{
    Credentials = credentials
};

var client = new HttpClient(clientHandler);
var resp = client.GetAsync(new Uri(apiUrl)).Result;

Any help appreciated. Thank you

I thumbed through the GitHub issue you provided and saw an advice to include target url in the context. Did you do that in ZAP? I can't see that pointed in your post. — GrayCat, Sep 03 '18 at 07:59
Did you resolve this? I'm facing the exact issue. Got to the same place as you. — Edza, Sep 11 '18 at 08:02
You're doing NTLM against localhost on port 80? Not impossible just want to be sure that's what you really meant. Also does your context definition include everything on the server or within a particular path (ex: regex ending .*)? — kingthorin, Sep 11 '18 at 18:22
@kingthorin what port should be used then? I mean - should it be a port on which IIS runs or rather the one that application being tested listens on? Or maybe there is any good documentation on this feature of ZAP, examples? — GrayCat, Oct 30 '18 at 14:02
Like I said, it isn't necessarily wrong. I just wanted to double check. It's kinda generally bad form to send auth over 80. — kingthorin, Oct 30 '18 at 17:10
It's been a while since I used Owasp ZAP, but I remember having similar issues with NTLM. What I did was to configure the credentials in the Forced User option and then in the main menu selected the option 'Edit > Enable Forced User Mode'. — Kuikiker, Mar 25 '19 at 08:13

score 1 · Answer 1 · edited May 17 '19 at 10:12

1

Was stuck in same issue, Thank God, it got resolved after 4 days of effort just to find a small setting.

Just make sure to Enable: Forced User Mode Not sure why I need to select this, even when I have selected only one user in authentication that too enabled. But this also makes sense, but it should be mentioned as information in authentication popup, to help beginner like me.

edited May 17 '19 at 10:12

Suraj Kumar

5,547
8
20
42

answered May 17 '19 at 09:55

SDET

11
7

NTLM authentication in ZAP

1 Answers1