I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API.
I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However, when I try the same for HTTPS application it isn't fetching additional URLs once logged in.
My question here is - Does ZAP support Form-Based authentication for HTTP related web application only?
Yes, and we have a FAQ for it: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Its difficult to debug issues when just using the API, so I recommend using the UI first and once you've got that working then converting what you've done to the API.
Via the UI:
List item
Explore your app while proxying through ZAP
Login using a valid username and password
Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
Find the 'Login request' in the Sites or History tab
Right click it and select "Flag as Context" / " Form-based Auth Login request"
Check that the Username and Password parameters are set correctly - they almost certainly wont be!
Find a string in a response which can be used to determine if the user is logged in or not
Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
Navigate to the Context "Forced User" page and make sure the user you want to test is selected
The "Forced User Mode disabled - click to enable" button should now be enabled
Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
context/includeInContext
authentication/setAuthenticationMethod
authMethodName : formBasedAuthentication
authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
authentication/setLoginIndicator or setLogoutIndicator
forcedUser/setForcedUserModeEnabled
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.
I can't get zap past the login page. It just fixates on the login and forgotten password forms.
I have followed various official HOWTOs and this FAQ but even though I have deleted the zap user, it still uses login_id=ZAP&password=ZAP when trying to log in.
I'm in standard mode, forced user mode, forced user is defined, logged in and logged out strings are defined - and I have tried others.
login form target url: https://xxx.yyy.net/affiliate_login_action.ido
login request POST data: login_id={%username%}&password={%password%}
logged in regex: \QLogout\E
logged out regex: \QAgent Login\E
I can't think what else to try.
The regexs doesn't seem right. In my experience when you don't specify correct login/logout regexs ZAP is using just ZAP, ZAP.
Try to change regexs to .*\QLogout\E.* and .*\QAgent Login\E.*
I am trying to connect to Paypal to get a users consent to access their paypal payment history. The end goal would be to download payments received at the end of the day and take the info and dump it into a local database.
https://developer.paypal.com/webapps/developer/docs/api/#obtain-users-consent
<Cfset returnlink="http://www.xxxxxx.com/paypal/paypalreturn.cfm">
<cfset paypalLink="https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize">
<Cfset paypallink="#paypallink#?client_id=#settingsLive.clientid#">
<Cfset paypallink="#paypallink#&redirect_uri=#urlencodedformat(returnlink)#">
<Cfset paypallink="#paypallink#&response_type=code">
<Cfset paypallink="#paypallink#&scope=profile+email+address+phone+https%3A%2F%2Furi.paypal.com%2Fservices%2Fpaypalattributes">
<cfset paypalLink="#paypallink#&nonce=#createUUID()#">
<cfset paypalLink="#paypallink#&state=create">
Login with paypal
Clicking on the link below returns:
Relying Party Validation error: redirect_uri provided in the request
does not match with the registered redirect_uri. Please check the
request.
I have logged into the Rest API, modified my app and made sure the redirect uri's for the test and live return link match that listed above. I have also made sure that the accept logins options are checked.
I have also tried the same code against their sandbox URL:
https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize
and instead of receiving the validation error, I get a page cannot be displayed.
I've tried every combination of things that I could think of
1) removing 1 cfset statement at a time to isolate a bad variable
2) making sure the return uri was a https vs http
3) switching to sandbox mode url and back
I've connected to other oauth2 api's in the past, but can't figure this one out.
This has changed a bit, and will presumably change again soon... but here's how you do this now.
Log into developer.paypal.com
Click on Dashboard (https://developer.paypal.com/developer/applications)
Click your app name under "Rest API Apps"
Scroll to the box at the bottom of the screen labeled "Sandbox (or Live) App Settings
Set the Return URL (Where users will be redirected after test transactions)
Click save
NOTE
This Return URL must exactly match the redirect_uri that you pass in via querystring (so it's confusing as to why you'd need to pass it in in the first place)
GOTCHA
At this point in time, the Return URL can seemingly never be updated. In my recent experience, if you don't type it correctly the first time you save it, you will have to create a new app.
The only time I have seen this error is when your redirect_uri does not match the one set in your applications profile.
You need to set this value inside of your app on the developer website.
Log into developer.paypal.com
Click Applications
Under My Rest Apps click your App name
Click Edit next to App redirect URLs
Set the return URLs for live or test
Save
I am also unable to get sandbox to work for my Log In with PayPal tests so it is not just you.
As of now (October 2015), the Dashboard Return URL should correspond to the redirect_uri. You can obtain the redirect_uri parameter in Firefox, by downloading the HTTPFox browser plugin. Then you start HTTPFox, point your browser to the OmniAuth login link, and view the scParams in the query string in the bottom-most link in the HTTPFox history to obtain the redirect_uri.
You have to literally make sure the Return URL is the exact same sequence of characters as the input redirect_uri. For example, if one points to "localhost" and the other to "127.0.0.1", it won't recognize the redirect_uri value as the same. It also won't recognize redirect_uri if only one of the redirect_uri values has a final slash.
Yes, the return URL was able to be updated in my experience.
In our app (service provider), there is a security filter to prevent viewing certain pages. For example a user can view a.xhtml but not b.xhtml. The user can login to view a.xhtml. And if he type in the URL to b.xhtml, the security filter will redirect himi to an error page.
Using josso, before login, user may type the url to b.xhtml and would be redirected to josso login page. After successful login, user will be redirected to the "back_to" page, which will be b.xhtml. In this case the security filter is not triggered, the use can see b.xhtml!
Refresh on b.xhtml then will trigger the filter and send user to error page, but too late.
We use josso 1.8.5 and tomcat 7.0.26.
Please any guru can help?
Thanks