OWASP ZAP 中的基本授权
[英]Basic Authorization in OWASP ZAP
问题描述
I need to attack endpoints via OWASP ZAP tool (got 2.5.0 version).
我需要通过 OWASP ZAP 工具(获得 2.5.0 版本)攻击端点。 I tested endpoints via Postman.我通过 Postman 测试了端点。 I`ve got Authorization with Type: Basic Auth, Username:exampleUserName, Password: examplePass.我有类型的授权:基本身份验证,用户名:exampleUserName,密码:examplePass。
Please could you give me any hints, how to set up Basic Auth in OWASP ZAP please?请你给我任何提示,如何在 OWASP ZAP 中设置基本身份验证?
I set up User for my Context.我为我的上下文设置了用户。 What esle is needed?需要什么esle?
Found solution:找到解决方案:
1) Control Panel -> Internet Options -> Connections ->LAN Settings -> check "Use a proxy for etc." 1) 控制面板 -> Internet 选项 -> 连接 -> 局域网设置 -> 勾选“为等使用代理”。 -> click OK -> 点击确定
2) Send request via Postman with Basic Auth 2)使用基本身份验证通过邮递员发送请求
3) The endpoint is visible in OWASP ZAP tool, in Sites section 3) 端点在 OWASP ZAP 工具中可见,在站点部分
4) right click on endpoint, choose Atack action 4) 右击端点,选择 Atack action
1 个解决方案
解决方案1
2 2017-02-13 11:55:15
We have a FAQ for that :) How can ZAP automatically authenticate via forms?我们有一个常见问题解答 :) ZAP 如何通过表单自动进行身份验证?
Copied here for reference:复制到这里供参考:
Via the UI:通过用户界面:
- Explore your app while you proxying through ZAP通过 ZAP 代理时探索您的应用程序
- Login using a valid username and password使用有效的用户名和密码登录
- Define a Context, eg by right-clicking the top node of your app in the Sites tab and selecting "Include in Context"定义上下文,例如通过在站点选项卡中右键单击应用程序的顶部节点并选择“包含在上下文中”
- Find the 'Login request' in the Sites or History tab在“站点”或“历史记录”选项卡中找到“登录请求”
- Right click it and select "Flag as Context" / "Form-based Auth Login request"右键单击它并选择“标记为上下文”/“基于表单的身份验证登录请求”
- Check that the Username and Password parameters are set correctly - they almost certainly won't be!检查用户名和密码参数是否设置正确 - 它们几乎肯定不会!
- Find a string in a response which can be used to determine if the user is logged in or not在响应中查找可用于确定用户是否已登录的字符串
- Highlight this string, right click and select "Flag as Context" / "Logged in/out Indicator" as relevant - you only need to set one of these, not both突出显示此字符串,右键单击并选择“标记为上下文”/“登录/注销指示器”作为相关 - 您只需要设置其中之一,而不是两者
- Double-click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all双击相关的上下文节点并导航到“用户”页面 - 检查用户详细信息是否正确,添加您要使用的任何其他用户并启用它们
- Navigate to the Context "Forced User" page and make sure the user you want to test is selected导航到上下文“强制用户”页面并确保选择了要测试的用户
- The "Forced User Mode disabled - click to enable" button should now be enabled现在应该启用“强制用户模式禁用 - 单击以启用”按钮
- Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.按下此按钮将导致 ZAP 在检测到用户不再登录时重新发送验证请求,即通过使用“登录”或“注销”指示符。
If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all the above steps.如果“强制用户模式已禁用 - 单击以启用”按钮未启用,则说明您没有为 ZAP 配置足够的信息进行身份验证 - 仔细检查您是否已执行上述所有步骤。
If you have enabled "forced user mode" and are still not logged in when you access your application then look at the requests in the History tab:如果您已启用“强制用户模式”但在访问应用程序时仍未登录,请查看“历史记录”选项卡中的请求:
- If there is no login request then you have probably not chosen a如果没有登录请求,那么您可能没有选择
suitable "logged in/out" indicator, try changing it and trying again合适的“登录/退出”指示器,尝试更改它并重试 - If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests如果有登录请求,则查看请求和响应,看看您是否可以找出登录失败的原因——您可能需要更改请求甚至发出多个请求
If you need to make multiple requests to login then the best option is to record a Zest authentication script and to test this isolated first.如果您需要发出多个登录请求,那么最好的选择是记录一个 Zest 身份验证脚本并首先对其进行隔离测试。
The FAQ also details how to set up authentication via the ZAP API. FAQ 还详细说明了如何通过 ZAP API 设置身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.