I need to run OWASP ZAP against one of our sites running on Netlify, but it is password protected (see screenshot for what I mean). For those who don't know how it works, when you visit the site, Netlify returns a 401 with the response of the request being the form. The form takes a password (input name is password
) and POSTs it to the same URL (so https://myapp.netlify.app/ returns 401 and then the form POSTs it to https://myapp.netlify.app). I've created the context that should work, but I don't think it likes the 401 being returned as the same URL as the POST.
I'm sure I'm just doing a really stupid thing, but here is the relevant snippet from the config:
<authentication>
<type>2</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<form>
<loginurl>https://myapp.netlify.app</loginurl>
<loginbody>password={%password%}</loginbody>
<loginpageurl>https://myapp.netlify.app</loginpageurl>
</form>
</authentication>
I also tried this snippet, in case it required the username (the UI kept enforcing the use of username):
<authentication>
<type>2</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<form>
<loginurl>https://myapp.netlify.app</loginurl>
<loginbody>username={%username%}&password={%password%}</loginbody>
<loginpageurl>https://myapp.netlify.app</loginpageurl>
</form>
</authentication>
School boy error. I had everything configured properly, but wasn't providing the user (I thought the forced user would be picked up).
Running zap-baseline.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/myapp.context -U testuser
works.