OWASP ZAP – Authentication and Command Line Tool

In a previous post I gave a brief introduction to ZAP and showed how to check your application for security vulnerabilities. I strongly recommend that post before continuing this post. Here is the link for the previous post. In this post I will show how you can perform attacks when there is authentication for the application and how to create a command line tool using the REST API given by the ZAP developers.

When there is authentication needed in the application there are some additional steps that should carried on before attacking using the ZAP tool. A wonderful tutorial has given by the Cosmin Stefan, one of the developers of the OWASP ZAP tool.

Now lets see how to gain the advantage of REST API given by the ZAP developers. Of course you can do the same functions using the GUI application. But in some occasions a command line tool is better than a GUI application. For example consider you want to integrate this with your continuous integration environment (Jenkins, Bamboo). Here is the steps for doing the same functions using  REST API calls.

Consider following is the url of your application. URL = http://example.com

1.Create a new Context (Creates a new context called “test”)

         http://zap/JSON/context/action/newContext/?zapapiformat=JSON&contextName=test

---

lets assume that the context id of the created context is 1.

2.Include in the context (This is the regex form – \Qhttp://www.example.com\E.*)

               http://zap/JSON/context/action/includeInContext/?zapapiformat=JSON&contextName=test&regex=\Qhttp%3A%2F%2example.com\E.*

---

3.Set Authentication

(Here the authMethodConfigParams should be url encoded, in example I passed authMethodConfigParams as loginUrl=http%3A%2F%2Fexample.com%2Flogin%2F&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D )and Log in Url as   http://example.com/login

              http://zap/JSON/authentication/action/setAuthenticationMethod/?zapapiformat=JSON&contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl%3Dhttp%253A%252F%252Fexample.com%252Flogin%252F%26loginRequestData%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D

---

4.Set Log in Indicator (I here used “<logout>” as the login indicator)

        http://zap/JSON/authentication/action/setLoggedInIndicator/?zapapiformat=JSON&contextId=1&loggedInIndicatorRegex=%5CQ%3Clogout%3E+%5CE

---

5.Create new user

          http://zap/JSON/users/action/newUser/?contextId=1&name=User

---

Lets assume the created user id is 0.

6. Add user credentials (passed username as ‘test’ and password as ‘mypassoword’)

          http://zap/JSON/users/action/setAuthenticationCredentials/?zapapiformat=JSON&contextId=1&userId=0&authCredentialsConfigParams=username%3Dtest%26password%3Dmypassword

---

7. Enable user

         http://zap/JSON/users/action/setUserEnabled/?contextId=1&userId=0&enabled=true

---

8. Spider Url as User (The url must be url encoded)

         http://zap/JSON/spider/action/scanAsUser/?zapapiformat=JSON&url=http%253A%252F%252Fexample.com&contextId=1&userId=0

---

9. Active scan

        http://zap/JSON/ascan/action/scan/?zapapiformat=JSON&url=http%3A%2F%2Fexample.com&recurse=&inScopeOnly=

---

10.Generate XML Report.

        http://zap/OTHER/core/other/xmlreport/