Reputation: 33
Form Based Authentication OWASP ZAP for HTTPS application
I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API.
I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However, when I try the same for HTTPS application it isn't fetching additional URLs once logged in.
My question here is - Does ZAP support Form-Based authentication for HTTP related web application only?
Upvotes: 2
Views: 6562
Answers (1)
Reputation: 6186
Yes, and we have a FAQ for it: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Its difficult to debug issues when just using the API, so I recommend using the UI first and once you've got that working then converting what you've done to the API.
Via the UI:
- List item
- Explore your app while proxying through ZAP
- Login using a valid username and password
- Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
- Find the 'Login request' in the Sites or History tab
- Right click it and select "Flag as Context" / " Form-based Auth Login request"
- Check that the Username and Password parameters are set correctly - they almost certainly wont be!
- Find a string in a response which can be used to determine if the user is logged in or not
- Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
- Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
- Navigate to the Context "Forced User" page and make sure the user you want to test is selected
- The "Forced User Mode disabled - click to enable" button should now be enabled
- Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
context/includeInContext
authentication/setAuthenticationMethod
authMethodName : formBasedAuthentication
authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
authentication/setLoginIndicator or setLogoutIndicator
forcedUser/setForcedUserModeEnabled
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
Upvotes: 4
Related Questions
- Header Based Authentication in Owasp zap
- OWASP ZAP, how to authenticate using Form-based Auth Login context and POST request
- Authenticate to an API with OWASP ZAP without using OpenAPI or Swagger specs
- Basic Authorization in OWASP ZAP
- How to working Owasp ZAP on web interface
- Adding authentication in ZAP tool to attack a URL
- How to set up authentication method as json based POST request Data in zap API client?
- ZEST script authentication using OWASP ZAP
- ZAP Authentication using API calls
- How to perform authentication with ZAP and HTTP 302