带有django管理员登录名的OWASP ZAP配置

Question

The problem I can't configure my OWASP ZAP application to log in and Scan the pages which require authentication.

My page is the built in Django admin page.

I've recorded a script following the instruction from this page: https://www.coveros.com/scripting-authenticated-login-within-zap-vulnerability-scanner/

The script can log in.

I've set it as Script-based Authentication

Login URL : http://127.0.0.1:8000/admin/ Method: POST

Logged in indicator regexp: \\Qlogout\\E Logged Out indicator regexp: \\Q/admin/\\E

I'm not sure if it is a must to add the user, but I've added it.

Session Management: Cookie Based (tried it with HTTP based as well )

When I click on Attack Scan/Spider, the scanned pages are only which do not require authentification. Eg.: The /admin/logout/ page is not discovered

Please let me know what am I doing wrong?

Thanks

Answer 1

Have a look at this FAQ, esp the Diagnosing Problems section: https://github.com/zaproxy/zaproxy/wiki/FAQformauth#diagnosing-problems

Reproducing that section here for completeness:

If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all of the above steps.

If you have enable forced user mode and are still not logged in when you access your application then look at the requests in the History tab:

• If there is no login request then you have probably not chosen a suitable "logged in/out" indicator, try changing it and trying again
• If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests

If you need to make multiple requests to login then the best option is to record a Zest authentication script and to test this in isolation first.