Search code examples
python-2.7authenticationowaspzap

OWASP Zap - same results whether logged in or not

I am running a python Zap script as follows:

zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8119', 'https': 'http://127.0.0.1:8119'})
base_url = 'http://10.122.81.161/webui/#/dashboard/'
auth_url = 'http://10.122.81.161/webui'
auth_data = 'username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D'
username = 'user'
password = 'pass'

new_context = randint(1, 100000000000)
context_id = zap.context.new_context(new_context)

auth_method_name = 'formBasedAuthentication'
authmethod_configparams = 'loginUrl=%s&loginRequestData=%s' \
            % (auth_url, auth_data)
authcred_configparams = 'username=%s&password=%s' % (username, password)
zap.authentication.set_logged_in_indicator(context_id, loggedinindicatorregex='Welcome')
user_id = zap.users.new_user(contextid=context_id, name=username)
zap.users.set_authentication_credentials(
        contextid=context_id,
        userid=user_id,
        authcredentialsconfigparams=authcred_configparams)
zap.users.set_user_enabled(contextid=context_id, userid=user_id, enabled=True)
zap.forcedUser.set_forced_user(context_id, user_id)
zap.forcedUser.set_forced_user_mode_enabled('true')
spider = zap.spider.scan_as_user(url=base_url, contextid=context_id, userid=user_id,
                recurse='false')

It definitely appears that the scan is not run as an authenticated user because I get the same results whether I use correct or incorrect login credentials. In both cases, the URLs I get are in this format:

"http://10.122.81.161/webui/login?Password=ZAP&Username=ZAP%22%26timeout+%2FT+15%26%22", 
            "http://10.122.81.161/webui/webui/login/login?query=query%26sleep+15%26", 
            "http://10.122.81.161/webui/webui/login/login/assets/styles?query=query%3Bstart-sleep+-s+15+%23", 
            "http://10.122.81.161/webui/webui/login/login/assets/styles/login/assets/images/companylogo.png?query=query%3Bstart-sleep+-,

which tells me that Zap cannot get past the login page. What am I missing or what am I doing wrong? Thanks much.

Solution

  • Run ZAP with the GUI and run your script against it.

    The follow the steps in https://github.com/zaproxy/zaproxy/wiki/FAQformauth#diagnosing-problems:

    1. If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all of the required steps.
    2. If you have enable forced user mode and are still not logged in when you access your application then look at the requests in the History tab:
    3. If there is no login request then you have probably not chosen a suitable "logged in/out" indicator, try changing it and trying again
    4. If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests