Ошибка аутентификации для пользователя при запуске owasp ZAP scanAsuserAPI
Я использовал ZAP Desktop с аутентификацией на основе форм, zap отлично работает в настольном приложении. Однако, поскольку в веб-приложении, которое я использую, также передается _csrf_token вместе с именем пользователя и паролем, я решил автоматизировать его с помощью ручной аутентификации с использованием селена.
Ниже приведена ошибка, которую я получаю -
1112496 [ZAP-ProxyThread-473] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1112601 [ZAP-ProxyThread-481] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1112602 [ZAP-ProxyThread-481] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1112624 [ZAP-ProxyThread-470] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1112624 [ZAP-ProxyThread-470] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1112648 [ZAP-ProxyThread-482] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1112648 [ZAP-ProxyThread-482] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1117079 [ZAP-ProxyThread-488] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1117080 [ZAP-ProxyThread-488] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1117082 [ZAP-ProxyThread-485] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1117088 [ZAP-ProxyThread-485] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1119534 [ZAP-ProxyThread-489] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1119535 [ZAP-ProxyThread-489] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1120768 [ZAP-ProxyThread-490] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1120768 [ZAP-ProxyThread-490] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1120770 [ZAP-ProxyThread-491] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1120770 [ZAP-ProxyThread-491] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1124677 [ZAP-ProxyThread-500] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1124682 [ZAP-SpiderInitThread-4] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on https://****/web at 2021-10-21T19:12:37.019+0530
1124682 [ZAP-SpiderInitThread-4] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
1124707 [ZAP-SpiderInitThread-4] INFO org.zaproxy.zap.spider.Spider - Starting spider...
1124709 [ZAP-SpiderInitThread-4] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: abc
1124714 [ZAP-SpiderThreadPool-4-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: abc
1124715 [ZAP-SpiderThreadPool-4-thread-1] INFO org.zaproxy.zap.users.User - Authentication failed for user: abc
1125460 [ZAP-SpiderThreadPool-4-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
1125462 [ZAP-SpiderShutdownThread-4] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true on https://****/web at 2021-10-21T19:12:37.799+0530
Мой код выглядит так:
@Test
public void zapScanOnTest(String jsonContextsFileName, String testCaseFile, String scanType, String scanPolicyName) throws InterruptedException {
SoftAssert softassert = new SoftAssert();
boolean login = loginPage.login(UsrName, Pwd);
softassert.assertTrue(login, "zapScanTest : Logged in");
Thread.sleep(10000);
runScanAsUserOnURLs(jsonContextsFileName,"abc_"+HostIP, "after_login_url", UsrName,scanType,scanPolicyName);
}
public void runScanAsUserOnURLs(String jsonContextsFileName, String zapContextName, String nodeName,
String UserName, String scanType, String scanPolicyName){
List<ApiResponse> listOfContext;
try {
listOfContext = ((ApiResponseList) clientApi.context.contextList()).getItems();
String contextID = setAndGetContextID(listOfContext, zapContextName);
log.info("Checking if the User already exists in Context if not Add the user to the context");
String userID = setAndGetUserID(UserName, contextID);
log.info("Fetching Json file path and reading all the URL's mentioned in JSON File");
List<String> urlLists = readJsonFileConvertUrlsToList(jsonContextsFileName, nodeName);
includeAllURLSToContext(urlLists, contextID, zapContextName);
spiderCrawlScanAsUser(contextID,userID,urlLists);
}
catch (InterruptedException e) {
e.printStackTrace();
}
catch (ClientApiException e) {
e.printStackTrace();
}
}
public String setAndGetContextID(List<ApiResponse> listOfContext, String contextName) throws ClientApiException {
String contextID = null;
if (listOfContext.isEmpty() || isContextPresent(listOfContext, contextName) == false) {
ApiResponse newContext = clientApi.context.newContext(contextName);
contextID = newContext.toString();
log.info("Context is Created and the ID is : " + contextID);
} else {
Context context = new Context((ApiResponseSet) clientApi.context.context(contextName));
contextID = context.getId();
log.info("ID of existing Context is : " + contextID);
}
listOfContext = ((ApiResponseList) clientApi.context.contextList()).getItems();
return contextID;
}
public boolean isContextPresent(List<ApiResponse> listOfContext, String contextName) {
boolean isPresent = false;
String str = "Context is not available in list : " + listOfContext + " let's create a new context";
log.info("Checking if provided context name " + contextName + " is already present in list of context");
for (int i = 0; i < listOfContext.size(); i++) {
String zapContext = listOfContext.get(i).toString();
if (zapContext.equals(contextName)) {
isPresent = true;
str = "Context Name Already Exists : No need to create a Context again : " + listOfContext;
}
}
log.info(str);
return isPresent;
}
public String setAndGetUserID(String mcUser, String contextID) throws ClientApiException {
String userID = null;
List<ApiResponse> usersListInContext = ((ApiResponseList) clientApi.users.usersList(contextID)).getItems();
if (usersListInContext.isEmpty() || isUserPresentInContext(usersListInContext, mcUser, contextID) == false) {
userID = clientApi.users.newUser(contextID, mcUser).toString();
log.info("User is added to the Context and the user ID is : " + userID);
log.info("Enabling the User");
ApiResponse setUserEnabled = clientApi.users.setUserEnabled(contextID, userID, "true");
log.info("User is Enabled and the status is : " + setUserEnabled);
log.info("Setting Forced User");
ApiResponse setForcedUser = clientApi.forcedUser.setForcedUser(contextID, userID);
log.info("User is set as Forced User and the status is : " + setForcedUser);
log.info("Enabling Forced User Mode");
ApiResponse setForcedUserModeEnabled = clientApi.forcedUser.setForcedUserModeEnabled(true);
log.info("Enabled Forced User Mode and the status is : " + setForcedUserModeEnabled);
} else {
for (ApiResponse userListResponse : usersListInContext) {
String userList = userListResponse.toString(0);
boolean userPresentInContextList = userList.contains("name = " + mcUser);
boolean contextIDPresent = userList.contains("contextId = " + contextID);
if (userPresentInContextList == true && contextIDPresent == true) {
userID = userList.substring(userList.indexOf("id = ") + 5, userList.indexOf("enabled"));
log.info("User ID is : " + userID);
log.info("Enabling the User");
ApiResponse setUserEnabled = clientApi.users.setUserEnabled(contextID, userID, "true");
log.info("User is Enabled and the status is : " + setUserEnabled);
log.info("Setting Forced User");
ApiResponse setForcedUser = clientApi.forcedUser.setForcedUser(contextID, userID);
log.info("User is set as Forced User and the status is : " + setForcedUser);
log.info("Enabling Forced User Mode");
ApiResponse setForcedUserModeEnabled = clientApi.forcedUser.setForcedUserModeEnabled(true);
log.info("Enabled Forced User Mode and the status is : " + setForcedUserModeEnabled);
break;
}
}
}
return userID;
}
public boolean isUserPresentInContext(List<ApiResponse> usersListInContext, String mcUser, String contextID) {
boolean isPresent = false;
String str = "User is not available in Context List let's add the user";
log.info("Checking if provided User name " + mcUser + " is already present in list of context");
for (ApiResponse userListResponse : usersListInContext) {
String userList = userListResponse.toString(0);
boolean userPresentInContextList = userList.contains("name = " + mcUser);
boolean contextIDPresent = userList.contains("contextId = " + contextID);
if (userPresentInContextList == true && contextIDPresent == true) {
isPresent = true;
str = "User is already added to the context, no need to add the user again";
}
}
log.info(str);
return isPresent;
}
public List<String> readJsonFileConvertUrlsToList(String jsonContextsFileName, String nodeName) {
String filePath = readJsonFile.getJsonFilePath(jsonContextsFileName);
log.info("File Path is : " + filePath);
FileInputStream fis;
List<String> urlList = new ArrayList<>();
try {
fis = new FileInputStream(filePath);
JSONTokener tokener = new JSONTokener(fis);
JSONObject jsonObject = new JSONObject(tokener);
JSONArray contextJsonArray = jsonObject.getJSONArray("contexts");
for (int i = 0; i < contextJsonArray.length(); i++) {
JSONObject testJsonObject = contextJsonArray.getJSONObject(i);
JSONArray urlJsonArray = testJsonObject.getJSONArray(nodeName);
log.info("Running ZAP Scan on " + urlJsonArray.length() + " URL's");
for (int j = 0; j < urlJsonArray.length(); j++) {
String urlEndPoints = urlJsonArray.get(j).toString();
urlList.add(mcHostUrl + urlEndPoints);
}
}
} catch (FileNotFoundException e) {
e.printStackTrace();
}
return urlList;
}
public void includeAllURLSToContext(List<String> listOfURL, String contextID, String contextName) {
try {
log.info("Going to include URLs to context : " + contextName);
List<ApiResponse> includeContextRegex = ((ApiResponseList) clientApi.context.includeRegexs(contextName)).getItems();
for (int i = 0 ; i< listOfURL.size();i++) {
String zapTargetURL = listOfURL.get(i);
if (includeContextRegex.isEmpty() || isContextRegexPresent(includeContextRegex, zapTargetURL) == false)
clientApi.context.includeInContext(contextName, zapTargetURL);
log.info("Included Context Regex to Context : " + contextName);
}
} catch (ClientApiException e) {
e.printStackTrace();
}
}
public void spiderCrawlScanAsUser(String contextID, String userID,List<String> urlList)
throws InterruptedException, ClientApiException {
for (int i = 0 ; i< urlList.size();i++) {
String zapTargetURL = urlList.get(i);
log.info("PREPARING FOR SPIDER CRAWL ON TARGET HOST :" + zapTargetURL);
log.info("Starting Spider Scan");
ApiResponse apiResponse = clientApi.spider.scanAsUser(contextID, userID, zapTargetURL, "500",
"true", "true");
int progress;
String scanId = ((ApiResponseElement) apiResponse).getValue();
do {
Thread.sleep(5000);
progress = Integer.parseInt(((ApiResponseElement) clientApi.spider.status(scanId)).getValue());
log.info("Scan progress: {}{}", progress, "%");
} while (progress < 100);
log.info("Spider scan completed");
List<ApiResponse> spiderResults = ((ApiResponseList) clientApi.spider.results(scanId)).getItems();
log.info("spider results {}", spiderResults);
}
}
Мне что-то не хватает в приведенном выше коде? Я вообще не могу аутентифицировать пользователя.
1 ответ
Честно говоря, я бы не рекомендовал настраивать ZAP таким образом. Я рекомендую протестировать все на рабочем столе, убедиться, что все работает, а затем экспортировать контекст - затем вы можете импортировать его через API. Я также замечаю, что вы используете принудительный режим пользователя - он действительно предназначен для ручного тестирования, поэтому я бы не стал использовать его для автоматизации. Вместо этого укажите пользователя при запуске пауков и активного сканера.
Вскоре мы добавим больше документов по аутентификации и улучшим Automation Framework для поддержки аутентификации - эти две вещи должны упростить задачу.