Set active HTTP Session
Opened this issue · 2 comments
With a custom session cookie, I'm not able to tell the spider to crawl properly even with a user set in a context that authenticates via form.
I tried logging in to the web app using the browser and set the session cookie as active session then the spider was able to crawl properly.
Is there a way to set it via zap-cli?
Commands:
active-scan Run an Active Scan.
ajax-spider Run the AJAX Spider against a URL.
alerts Show alerts at the given alert level.
context Manage contexts for the current session.
exclude Exclude a pattern from all scanners.
open-url Open a URL using the ZAP proxy.
policies Enable or list a set of policies.
quick-scan Run a quick scan.
report Generate XML or HTML report.
scanners Enable, disable, or list a set of scanners.
scripts Manage scripts.
session Manage sessions.
shutdown Shutdown the ZAP daemon.
spider Run the spider against a URL.
start Start the ZAP daemon.
status Check if ZAP is running.
I don't see it in the list of commands.
zapv2 python has it,
zap.httpsessions.set_active_session(url, session, apikey)
Hi @setzamora! Just to confirm, you're not able to set up a working authentication method for the context, is that right? zap-cli can handle authenticated crawls by using the authentication method configured in a context and then passing the configured user to the spider, active-scan, or quick-scan commands: https://github.com/Grunny/zap-cli#running-scans-as-authenticated-users
I can also add support for manually setting the HTTP sessions if that's necessary to make authentication work for the site you're testing, there isn't currently a command for that.
Hey @Grunny . That is correct. Unfortunately, the application is using a custom cookie for authentication and for some reason the spider doesn't honour the session.
I already added the custom cookie to the list and saw that form-based authentication with a valid user works but I'm not sure why the spider doesn't pick it up. The difference in the result of the spider crawls is evident when setting an active HTTP session manually versus relying on the form-based authentication. Note that I already added some specific rules to prevent the spider from hitting the "logout" link, and whatnot.