How to perform form based authentication in ZAP docker instead headless scanning

0
votes

I am running zap docker full scan on my target host. However while debugging I came across that I missed to provide login information to my web application which is also target host. Steps are as below -

  1. Web application when launched it do not land on login page instead lands on setting up the application or installation details etc.. once we provide all details then set up some questionnaire then the application lands on login page.
  2. Initially i was running below jenkins stage sh 'docker run -v /<Jenkins Path>/Reports:/zap/wrk/:rw -t docker.io/owasp/zap2docker-stable zap-full-scan.py -t https://<host>:<IP>/ -g gen.conf -r testreport.html' On above command zap used to scan till https://://login and wrap up the scanning.
  3. Then when I started exploring more on ZAP logging to web application and performing scan, I came across https://github.com/ICTU/zap-baseline and no other form based authentication solution for zap Docker on stable build and I also got below error when I hit the command docker run --rm -v /<Path>/Reports:/zap/wrk/:rw -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://<host>:<port>-r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=https://<ip>:<port>/<page>/login auth.username="abc" auth.password="abc123" auth.username_field="j_username" auth.password_field="j_password" auth.submit_field="j_submit""'

Error

14593 [ZAP-daemon] INFO  org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - Creating new root CA certificate
16732 [ZAP-daemon] INFO  org.zaproxy.zap.extension.dynssl.ExtensionDynSSL - New root CA certificate created
16737 [ZAP-daemon] ERROR org.zaproxy.zap.DaemonBootstrap - File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
java.lang.Exception: File not found 'auth.loginurl=https://<host>:<port>/<module>/login'
   at org.parosproxy.paros.CommandLine.parse(CommandLine.java:304) ~[zap-D-2021-02-01.jar:D-2021-02-01]
   at org.parosproxy.paros.extension.ExtensionLoader.hookCommandLineListener(ExtensionLoader.java:1049) ~[zap-D-2021-02-01.jar:D-2021-02-01]
   at org.zaproxy.zap.DaemonBootstrap$1.run(DaemonBootstrap.java:85) [zap-D-2021-02-01.jar:D-2021-02-01]
   at java.lang.Thread.run(Thread.java:834) [?:?]
16751 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:54624
56762 [ZAP-ProxyThread-11] INFO  org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=false, tokenValues='']
56807 [ZAP-ProxyThread-13] INFO  org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '<IP>:<PORT>': HttpSession [name=auth-session, active=true, tokenValues='JSESSIONID=<sessionid>']
67128 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: ctx-zap-docker at Wed Feb 17 16:56:10 UTC 2021
67134 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Spider initializing...
67212 [ZAP-SpiderInitThread-0] INFO  org.zaproxy.zap.spider.Spider - Starting spider...
72093 [ZAP-PassiveScanner] INFO  org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Absence of Anti-CSRF Tokens as it has raised more than 10 alerts.

Is there any other way to perform full scan with login or form based authentication in zap docker instead of headerless scan? Also regarding point #1 - How can i perform all the initial setup and land to loginpage? or how can i bypass initial setup and land directly to login page, However unless you setup initial setup page login page do not get enabled or cannot jump to /login/

Also i got the below error -

660506 [Thread-10] INFO  org.parosproxy.paros.core.scanner.HostProcess - Scanning 541 node(s) from https://<ip>:<port>
660508 [Thread-10] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://<ip>:<port> | PathTraversalScanRule strength LOW threshold MEDIUM
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGBUS (0x7) at pc=0x00007fd5508d72b5, pid=9, tid=2998
#
# JRE version: OpenJDK Runtime Environment (11.0.9.1+1) (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
# Java VM: OpenJDK 64-Bit Server VM (11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# v  ~StubRoutines::jlong_disjoint_arraycopy
#
# Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P %E" (or dumping to /zap/core.9)
#
# An error report file with more information is saved as:
# /zap/hs_err_pid9.log
Compiled method (c2) 1152543 17502   !   4       java.nio.DirectByteBuffer::put (151 bytes)
 total in heap  [0x00007fd558d4d710,0x00007fd558d4e020] = 2320
 relocation     [0x00007fd558d4d888,0x00007fd558d4d8b8] = 48
 main code      [0x00007fd558d4d8c0,0x00007fd558d4dbc0] = 768
 stub code      [0x00007fd558d4dbc0,0x00007fd558d4dbe8] = 40
 oops           [0x00007fd558d4dbe8,0x00007fd558d4dbf0] = 8
 metadata       [0x00007fd558d4dbf0,0x00007fd558d4dc60] = 112
 scopes data    [0x00007fd558d4dc60,0x00007fd558d4df08] = 680
 scopes pcs     [0x00007fd558d4df08,0x00007fd558d4dfe8] = 224
 dependencies   [0x00007fd558d4dfe8,0x00007fd558d4dff0] = 8
 handler table  [0x00007fd558d4dff0,0x00007fd558d4e008] = 24
 nul chk table  [0x00007fd558d4e008,0x00007fd558d4e020] = 24
Compiled method (c1) 1152543 15814       3       org.hsqldb.rowio.RowOutputBinaryEncode::writeData (93 bytes)
 total in heap  [0x00007fd552311990,0x00007fd552312ba8] = 4632
 relocation     [0x00007fd552311b08,0x00007fd552311bf0] = 232
 main code      [0x00007fd552311c00,0x00007fd5523127c0] = 3008
 stub code      [0x00007fd5523127c0,0x00007fd552312860] = 160
 oops           [0x00007fd552312860,0x00007fd552312868] = 8
 metadata       [0x00007fd552312868,0x00007fd5523128a8] = 64
 scopes data    [0x00007fd5523128a8,0x00007fd552312a18] = 368
 scopes pcs     [0x00007fd552312a18,0x00007fd552312b78] = 352
 dependencies   [0x00007fd552312b78,0x00007fd552312b80] = 8
 nul chk table  [0x00007fd552312b80,0x00007fd552312ba8] = 40
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled
#
# If you would like to submit a bug report, please visit:
#   https://bugs.launchpad.net/ubuntu/+source/openjdk-lts
#
1
dockerowaspzap

1 Answers

0
votes

I always recommend that people use the ZAP Desktop to set up and test authentication - its way to hard to do that without the UI. Once you have it working in the desktop you can export the settings and test that they still work in your automation environment. I recorded a set of videos about ZAP automation and authentication: https://www.zaproxy.org/addo-auth-workshop/ and am recording some more right now as part of the Deep Dive series: https://www.zaproxy.org/zap-deep-dive/

Take it one step at a time - theres no point in trying to do everything at once because theres very little chance it will work first time and you'll not know where to start when trying to fix things.