Authentication script not executed before run active scan or crawlingPython-owasp-zap apiRestrict ZAP scannerOWASP ZAP: Active Scanner in Continuos IntegrationOWASP ZAP python API error running scriptI'm Unable to spider the web page after form-based authentication using Zap-CliZap vadin setup issuesOWASP ZAP configuration with django Admin loginBasic Authorization in Zapproxy APIScanning Rest API's through OWASP zap inside a docker environmentOWASP/ZAP dangling when trying to scan
Defense against attacks using dictionaries
If the first law of thermodynamics ensures conservation of energy, why does it allow systems to lose energy?
Would it be possible to have a GMO that produces chocolate?
Why is Boris Johnson visiting only Paris & Berlin if every member of the EU needs to agree on a withdrawal deal?
Why don't electrons take the shorter path in coils?
Can anyone recognise the location and uniforms in these pictures
Is it safe to remove the bottom chords of a series of garage roof trusses?
Mixing basis sets
Avoiding racist tropes in fantasy
Can a gem used as the material component for the Magic Jar spell also be used for the Imprisonment spell?
Is it appropriate for a prospective landlord to ask me for my credit report?
Why does The Ancient One think differently about Doctor Strange in Endgame than the film Doctor Strange?
Science fiction short story where aliens contact a drunk about Earth's impending destruction
What brought these couples together?
Are illustrations in novels frowned upon?
I got kicked out from graduate school in the past. How do I include this on my CV?
Can pay be witheld for hours cleaning up after closing time?
Was Switzerland really impossible to invade during WW2?
Did a flight controller ever answer Flight with a no-go?
What is the difference between true neutral and unaligned?
Why is my Earth simulation slower than the reality?
Most practical knots for hitching a line to an object while keeping the bitter end as tight as possible, without sag?
Earth rotation discrepancy
Why in most German places is the church the tallest building?
Authentication script not executed before run active scan or crawling
Python-owasp-zap apiRestrict ZAP scannerOWASP ZAP: Active Scanner in Continuos IntegrationOWASP ZAP python API error running scriptI'm Unable to spider the web page after form-based authentication using Zap-CliZap vadin setup issuesOWASP ZAP configuration with django Admin loginBasic Authorization in Zapproxy APIScanning Rest API's through OWASP zap inside a docker environmentOWASP/ZAP dangling when trying to scan
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Good afternoon dear community,
I have an issue with owasp zap scanner.
Summary: authentication script not executed before run active scan or crawling.
Here more details:
The context authentication use script-based authentication method:
session.png
In order to authenticate script contain 4 API calls, all of them depends on each other.
auth_script.png
So, basically zap need to execute this script (all four API calls), get a cookies and use it for the further active scan.
Only one way to do so - it's to runt the script which contain 4 API calls for authentication OR run selenium script which will do the same but on UI side.
For now I trying with script approach (which is looks easier).
But, when I start my active scan owasp zap don't run the script, but just start running the attack against the urls from 'Sites'.
active_scan.png
Can someone bring the clarity why that happens and how to setup the context/application/etc to run auth script before run the scan itself?
Until that the server return 403 for all requests because all of them not authenticated.
I hope that someone can help me, I waste already a lot of time to figure out, but still can't find the solution..
The copy of this question also here:
https://groups.google.com/forum/#!topic/zaproxy-users/Fs9EoasHycI
owasp zap
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
add a comment |
Good afternoon dear community,
I have an issue with owasp zap scanner.
Summary: authentication script not executed before run active scan or crawling.
Here more details:
The context authentication use script-based authentication method:
session.png
In order to authenticate script contain 4 API calls, all of them depends on each other.
auth_script.png
So, basically zap need to execute this script (all four API calls), get a cookies and use it for the further active scan.
Only one way to do so - it's to runt the script which contain 4 API calls for authentication OR run selenium script which will do the same but on UI side.
For now I trying with script approach (which is looks easier).
But, when I start my active scan owasp zap don't run the script, but just start running the attack against the urls from 'Sites'.
active_scan.png
Can someone bring the clarity why that happens and how to setup the context/application/etc to run auth script before run the scan itself?
Until that the server return 403 for all requests because all of them not authenticated.
I hope that someone can help me, I waste already a lot of time to figure out, but still can't find the solution..
The copy of this question also here:
https://groups.google.com/forum/#!topic/zaproxy-users/Fs9EoasHycI
owasp zap
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
add a comment |
Good afternoon dear community,
I have an issue with owasp zap scanner.
Summary: authentication script not executed before run active scan or crawling.
Here more details:
The context authentication use script-based authentication method:
session.png
In order to authenticate script contain 4 API calls, all of them depends on each other.
auth_script.png
So, basically zap need to execute this script (all four API calls), get a cookies and use it for the further active scan.
Only one way to do so - it's to runt the script which contain 4 API calls for authentication OR run selenium script which will do the same but on UI side.
For now I trying with script approach (which is looks easier).
But, when I start my active scan owasp zap don't run the script, but just start running the attack against the urls from 'Sites'.
active_scan.png
Can someone bring the clarity why that happens and how to setup the context/application/etc to run auth script before run the scan itself?
Until that the server return 403 for all requests because all of them not authenticated.
I hope that someone can help me, I waste already a lot of time to figure out, but still can't find the solution..
The copy of this question also here:
https://groups.google.com/forum/#!topic/zaproxy-users/Fs9EoasHycI
owasp zap
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
Good afternoon dear community,
I have an issue with owasp zap scanner.
Summary: authentication script not executed before run active scan or crawling.
Here more details:
The context authentication use script-based authentication method:
session.png
In order to authenticate script contain 4 API calls, all of them depends on each other.
auth_script.png
So, basically zap need to execute this script (all four API calls), get a cookies and use it for the further active scan.
Only one way to do so - it's to runt the script which contain 4 API calls for authentication OR run selenium script which will do the same but on UI side.
For now I trying with script approach (which is looks easier).
But, when I start my active scan owasp zap don't run the script, but just start running the attack against the urls from 'Sites'.
active_scan.png
Can someone bring the clarity why that happens and how to setup the context/application/etc to run auth script before run the scan itself?
Until that the server return 403 for all requests because all of them not authenticated.
I hope that someone can help me, I waste already a lot of time to figure out, but still can't find the solution..
The copy of this question also here:
https://groups.google.com/forum/#!topic/zaproxy-users/Fs9EoasHycI
owasp zap
owasp zap
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
edited Mar 27 at 16:58
xavdid
3,1192 gold badges12 silver badges27 bronze badges
3,1192 gold badges12 silver badges27 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
asked Mar 27 at 16:48
AleksandrAleksandr
13 bronze badges
13 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
As per my answer on the user group, the problem is that you are not giving ZAP a logged out / logged in indicator, so ZAP doesnt know when it should run the authentications script you've provided. If you can specify one of those then the script should run.
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382521%2fauthentication-script-not-executed-before-run-active-scan-or-crawling%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As per my answer on the user group, the problem is that you are not giving ZAP a logged out / logged in indicator, so ZAP doesnt know when it should run the authentications script you've provided. If you can specify one of those then the script should run.
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
add a comment |
As per my answer on the user group, the problem is that you are not giving ZAP a logged out / logged in indicator, so ZAP doesnt know when it should run the authentications script you've provided. If you can specify one of those then the script should run.
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
add a comment |
As per my answer on the user group, the problem is that you are not giving ZAP a logged out / logged in indicator, so ZAP doesnt know when it should run the authentications script you've provided. If you can specify one of those then the script should run.
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
As per my answer on the user group, the problem is that you are not giving ZAP a logged out / logged in indicator, so ZAP doesnt know when it should run the authentications script you've provided. If you can specify one of those then the script should run.
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
answered Mar 27 at 17:26
Simon BennettsSimon Bennetts
2,8301 gold badge10 silver badges18 bronze badges
2,8301 gold badge10 silver badges18 bronze badges
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
add a comment |
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Thank you for the response. I have checked twice what I can do after read your response. Unfortunately it's impossible to use this approach in my case, because to login the client need to send four different queries instead of just one. I also have added '403' response as a 'Logged out indicator' and 200 response as a 'Logged in indicator'. I see that when I start the scanner zap application does not execute the script before run the scan. It's clearly visible in the history of the scan (list of the URLs exclude API endpoints for authentication). Looking forward to hearing from you.
– Aleksandr
Mar 28 at 11:38
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Have replied on the ZAP User Group :)
– Simon Bennetts
Mar 28 at 12:04
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
Thank you for the help!
– Aleksandr
Jul 30 at 10:08
add a comment |
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382521%2fauthentication-script-not-executed-before-run-active-scan-or-crawling%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
