Search code examples
securityowaspzappenetration-testingsecurity-testing

How to configure the user_token of Damn Vulnerable Web Application within CSRF field while Script based authentication using ZAP?

I had been following the documentation of Script Based Authentication for Damn Vulnerable Web Application using ZAP. I have navigated to http://localhost/dvwa/login.php through Manual Explore which opens up the DVWA application on my localhost as follows:

dvwa_application

and adds the URL to the Default Context.

I've also created the dvwa script with the following configuration:

dvwa_script_configuration

and modified the dvwa script:

dvwa_script

Now when I try Configure Context Authentication, dvwa script does gets loaded but the CSRF field doesn't shows up.

dvwa_script_based_authentication

Additionally, POST Data doesn't even shows up but Extra POST Data is shown.

Am I missing something in the steps? Can someone help me out?

Solution

  • The modified script within the documentation of Script Based Authentication section for Damn Vulnerable Web Application using ZAP

    auth_dvwa_zap_faulty_script

    seems incomplete.

    The complete script is available at Setting up ZAP to Test Damn Vulnerable Web App (DVWA) which is as follows:

    function authenticate(helper, paramsValues, credentials) {
    var loginUrl = paramsValues.get("Login URL");
    var csrfTokenName = paramsValues.get("CSRF Field");
    var csrfTokenValue = extractInputFieldValue(getPageContent(helper, loginUrl), csrfTokenName);
    var postData = paramsValues.get("POST Data");

    postData = postData.replace('{%username%}', encodeURIComponent(credentials.getParam("Username")));
    postData = postData.replace('{%password%}', encodeURIComponent(credentials.getParam("Password")));
    postData = postData.replace('{%' + csrfTokenName + '%}', encodeURIComponent(csrfTokenValue));

    var msg = sendAndReceive(helper, loginUrl, postData);
    return msg;
}

function getRequiredParamsNames() {
    return [ "Login URL", "CSRF Field", "POST Data" ];
}

function getOptionalParamsNames() {
    return [];
}

function getCredentialsParamsNames() {
    return [ "Username", "Password" ];
}

function getPageContent(helper, url) {
    var msg = sendAndReceive(helper, url);
    return msg.getResponseBody().toString();
}

function sendAndReceive(helper, url, postData) {
    var msg = helper.prepareMessage();

    var method = "GET";
    if (postData) {
    method = "POST";
    msg.setRequestBody(postData);
    }

    var requestUri = new org.apache.commons.httpclient.URI(url, true);
    var requestHeader = new org.parosproxy.paros.network.HttpRequestHeader(method, requestUri, "HTTP/1.0");
    msg.setRequestHeader(requestHeader);

    helper.sendAndReceive(msg);

    return msg;
}

function extractInputFieldValue(page, fieldName) {
    // Rhino:
    var src = new net.htmlparser.jericho.Source(page);
    // Nashorn:
    // var Source = Java.type("net.htmlparser.jericho.Source");
    // var src = new Source(page);

    var it = src.getAllElements('input').iterator();

    while (it.hasNext()) {
    var element = it.next();
    if (element.getAttributeValue('name') == fieldName) {
        return element.getAttributeValue('value');
    }
    }
    return '';
}

    Using this script, CSRF Field and POST Data field shows up just perfect.

    dvwa_loaded