zap-cli does not authenticate with the web site
Closed this issue · 3 comments
Hello,
I created the context file from a template. The template file is attached (renamed .xml) The zap-cli commands directly below are executed and a positive response is shown [INFO], no errors. The zap log shows many lines as follows:
[ZAP-ActiveScanner-1] INFO User - Authenticating user: test
The "context credentials name" is test. And the credentials are provided as well with 64bit encoding.
The zap commands executed are:
zap-cli context import /zap/wrk/$APP_CONTEXT_FILE
zap-cli open-url "$APP_URL"
zap-cli exclude "$LOGOUT_APP_URL"
zap-cli spider --context-name "$APP_CONTEXT_NAME" --user-name "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"
zap-cli ajax-spider "$APP_URL"
zap-cli quick-scan -l Informational -s all -r -c "$APP_CONTEXT_NAME" -u "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"
Is there something wrong from zap-cli point of view here?
Please let me know.
Hi! First thing to check would be whether or not this works when using the ZAP GUI. So, if you open a new session in ZAP, import the context file, exclude the logout URL, and then run the spider, does it authenticate properly then? The many "Authenticating user" log entries may be because the authentication is failing, or it isn't finding the logged in indicator in the response. So, it's worth checking if the context is configured properly by using the ZAP GUI to confirm. If you follow the same steps in the ZAP GUI and it works properly and doesn't create all those log entries, then we can try to figure out what might be different when done through zap-cli.
Hi, thanks for the input. I have performed the GUI test from the template and its works perfectly. I also tested with zap stable container UI via browser. This stable container is also used for zap cli.
On the GUI, the login connects and spidering successfully reaching logged in pages.
Thank you,
Ben
If you run the GUI, but then use zap-cli to run the commands, can you check if it all works then? i.e. start the GUI, run the commands you listed:
zap-cli context import /zap/wrk/$APP_CONTEXT_FILE
zap-cli open-url "$APP_URL"
zap-cli exclude "$LOGOUT_APP_URL"
zap-cli spider --context-name "$APP_CONTEXT_NAME" --user-name "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"
zap-cli ajax-spider "$APP_URL"
zap-cli quick-scan -l Informational -s all -r -c "$APP_CONTEXT_NAME" -u "$CONTEXT_CREDENTIALS_NAME" "$APP_URL"
If it doesn't work, what parts of the context are missing when you look at them through the GUI (i.e. is the authentication method correct, users configured, etc.)? Or rather what is different in those settings than when you import the context manually through the GUI? I'm trying to figure out what might be different when this is done through the API using ZAP, as I can't reproduce the issue while testing myself.