zap2docker-auth-weekly icon indicating copy to clipboard operation
zap2docker-auth-weekly copied to clipboard

Published 20 hours ago verified publisher icon ICTU

Auth with Good or Bad user/password display no fail logs

Open bat79a opened this issue 2 years ago • 4 comments

Hi.

If I run the docker command : docker run --rm -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://mysite.fr/ --hook=/zap/auth_hook.py -z "auth.loginurl=https://sso.mysite.fr/ auth.username="demo" auth.password="1234""

With good or bad credentials, logs are the same, so I'm not sure that the scan really scan a logued user. Can we see a trace somewhere if the login failed or not ?

Thx a lot.

bat79a avatar Sep 06 '22 15:09 bat79a

@bat79a can you paste the full log? It should print if session identifiers were discovered and used.

dicksnel avatar Sep 08 '22 09:09 dicksnel

Hello.

Sure thx a lot for your time.

With the good credentials :

$ docker run -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://www.mysite.fr/ --hook=/zap/auth_hook.py -z "auth.loginurl=https://sso.mysite.fr/auth/... auth.username="good_user" auth.password="good_password""

2022-09-08 10:10:04,350 Extra params passed by ZAP: ['-config', 'spider.maxDuration=10', '-addonupdate', '-addoninstall', 'pscanrulesBeta', '-addoninstall', 'ascanrulesBeta', 'auth.loginurl=https://sso.mysite.fr/auth...', 'auth.username=']
2022-09-08 10:10:04,351 _get_zap_param auth.loginurl: https://sso.mysite.fr/auth/...
2022-09-08 10:10:04,351 _get_zap_param auth.username:
2022-09-08 10:10:09,439 Included https://www.mysite.fr/.*
2022-09-08 10:10:09,451 Excluded .*logout.*
2022-09-08 10:10:09,463 Excluded .*uitloggen.*
2022-09-08 10:10:09,473 Excluded .*afmelden.*
2022-09-08 10:10:09,484 Excluded .*signout.*
2022-09-08 10:10:09,484 Start webdriver
2022-09-08 10:10:11,061 authenticate using webdriver against URL: https://sso.mysite.fr/auth...
2022-09-08 10:10:16,406 automatically finding login elements
2022-09-08 10:10:16,407 Trying to find element login
2022-09-08 10:10:16,407 Built xpath: //*[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2022-09-08 10:10:16,428 Built xpath: //*[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2022-09-08 10:10:16,437 Found element login by name
2022-09-08 10:10:16,582 Clicked the login element
2022-09-08 10:10:21,587 Finding authentication cookies
2022-09-08 10:10:21,606 Cookie added: KC_RESTART=eyxxxxxxx
2022-09-08 10:10:21,610 Cookie added: AUTH_SESSION_ID_LEGACY=00xxxx
2022-09-08 10:10:21,613 Cookie added: AUTH_SESSION_ID=00xxxx
2022-09-08 10:10:21,619 Active session: auth-session
2022-09-08 10:10:21,619 Finding authentication headers
Total of 18 URLs
PASS: Directory Browsing [0]
...

With bad credentials :

docker run -t ictu/zap2docker-weekly zap-full-scan.py -I -j -m 10 -T 60 -t https://www.mysite.fr/ --hook=/zap/auth_hook.py -z "auth.loginurl=https://sso.mysite.fr/auth... auth.username="BAD" auth.password="BAD""

2022-09-08 10:16:55,752 Extra params passed by ZAP: ['-config', 'spider.maxDuration=10', '-addonupdate', '-addoninstall', 'pscanrulesBeta', '-addoninstall', 'ascanrulesBeta', 'auth.loginurl=https://sso.mysite.fr/auth...', 'auth.username=']
2022-09-08 10:16:55,752 _get_zap_param auth.loginurl: https://sso.mysite.fr/auth...
2022-09-08 10:16:55,752 _get_zap_param auth.username:
2022-09-08 10:16:59,846 Included https://www.mysite.fr/.*
2022-09-08 10:16:59,862 Excluded .*logout.*
2022-09-08 10:16:59,880 Excluded .*uitloggen.*
2022-09-08 10:16:59,895 Excluded .*afmelden.*
2022-09-08 10:16:59,908 Excluded .*signout.*
2022-09-08 10:16:59,908 Start webdriver
2022-09-08 10:17:01,198 authenticate using webdriver against URL: https://sso.mysite.fr/auth...
2022-09-08 10:17:06,502 automatically finding login elements
2022-09-08 10:17:06,502 Trying to find element login
2022-09-08 10:17:06,502 Built xpath: //*[(translate(@id, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2022-09-08 10:17:06,513 Built xpath: //*[(translate(@name, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='login') and (@type='submit' or @type='button' or button)]
2022-09-08 10:17:06,522 Found element login by name
2022-09-08 10:17:06,657 Clicked the login element
2022-09-08 10:17:11,663 Finding authentication cookies
2022-09-08 10:17:11,681 Cookie added: KC_RESTART=eyxxxxx
2022-09-08 10:17:11,684 Cookie added: AUTH_SESSION_ID_LEGACY=01xxxx
2022-09-08 10:17:11,687 Cookie added: AUTH_SESSION_ID=01xxxx
2022-09-08 10:17:11,693 Active session: auth-session
2022-09-08 10:17:11,693 Finding authentication headers
Total of 18 URLs
PASS: Directory Browsing [0]
...

Thx a lot @dicksnel ;p

bat79a avatar Sep 08 '22 10:09 bat79a

@bat79a are you using authentication cookies on a different domain from your application? Then it may be related to https://github.com/ICTU/zap2docker-auth-weekly/issues/52

Unfortunately at this moment the session cookie must be on the same domain as the application.

dicksnel avatar Sep 15 '22 09:09 dicksnel

Hello @dicksnel .

Thx for your time and your feedback.

I'm not using a different domain, but I use a sub-domain.

Example :

  • particulier.mysite.fr (for the website) and
  • sso.mysite.fr (for the SSO) So I think that is a probleme too ;p

Thx again.

bat79a avatar Sep 15 '22 13:09 bat79a