5

So I have recently been working on security testing with OWASP ZAP. However I have hit a road block in that I can't get the (ajax) spider to test within an authorized area of the single page application.

I have looked at the different options in session properties as described in the image below. However the authorization to my single page application involves sending a base64 encoded username and password as a header value which doesn't appear to be supported.

Ideally I need to either be able to simply specify the header values base64 string myself, or specify username and password and have the ZAP proxy just enter the fields, and submit them and let the web application encode and send them.

I was really just wondering if anyone has any good suggestions to get around this limitation? I saw the "Script-based Authentation", but was unable to import a script for it, and wasn't quite sure how it would work?

enter image description here

Anders
  • 64,406
  • 24
  • 178
  • 215
Josh Mc
  • 151
  • 1
  • 1
  • 4
  • See if this helps. http://security.stackexchange.com/questions/104402/how-to-supply-http-basic-authentication-details-in-owasp-zap-proxy – Krishna Pandey Nov 25 '15 at 05:20
  • 1
    For future users, I am also following this up here: https://groups.google.com/forum/#!topic/zaproxy-users/llXq9bPdkkw – Josh Mc Mar 15 '16 at 23:29

1 Answers1

6

You can use the Zest functionality of ZAP to perform your authentication. In the icon bar on the top, on the far right you will find a tape icon that says "Record new Zest Script...". Hit it, choose a name and choose "Authentication" for the "Type" dropdown.

Now open the a browser via ZAP and manually perform a login to you site. Stop the recording by hitting the tape icon again. In ZAP, on the left side where the scanned Sites are shown, switch to the "Scripts" tab to find your script. You will see any recorded requests and you can go on to delete any records that are not necessary for your authentication.

On the top right, next to Quickstart / Request / Response you should see a "Scripting Console" tab in which you will find a button to run your recorded script.

If the script is working, now go back to the context settings you screenshotted in the OP and choose Script-based Authentication. You will be able to select your recoreded script. Hit "load" and fill out the regex patterns.

Now to the part that has cost me a lot of time: you have to specify a user in the context settings although it should not be necessary because the user is part of your script. Just type in whatever you want for username and password.

Now you're done! Start a spider, choose the your context and your fake user and it should be working.

stormpanda
  • 61
  • 1
  • 2