简体   繁体   English

Python OWASP ZAP API似乎无法成功验证http basic

[英]Python OWASP ZAP API doesn't seem to successfully authenticate http basic

I have a problem with using the API to do an authenticated scan of a website that I made. 使用API​​对我制作的网站进行身份验证扫描时遇到问题。 This (test) website uses HTTP Basic authentication. 该(测试)网站使用HTTP基本身份验证。 When initiating the scan it can't seem to find the web pages behind the login. 启动扫描时,似乎无法找到登录背后的网页。

Below you can find the Python class (probably not perfect) which I made for the use of the ZAP API. 在下面,您可以找到我为使用ZAP API而制作的Python类(可能并不完美)。

    from time import sleep
    from pprint import pprint
    import json
    from pathlib import Path
    from zapv2 import ZAPv2
    from loginauthmethod import loginauthmethod

    with open(Path('../Scripts/config.json'), 'r') as f:
            config = json.load(f)

    class owaspzap():
        key = config['ZAProxy']['key']
        zap = ZAPv2(apikey=key)
        contextname = None
        contextid = None
        userid = None
        authisset = False
        target = None
        loginurl = None
        username = None
        password = None
        authmethod = loginauthmethod.NONE
        authmethodname = None
        authmethodconfigparams = None
        contextregex = None
        loggedinindicator = None
        loggedoutindicator = None
        credentials = None
        scanid = None
        realm = None

        def initialize(self, contextname, target, contextregex):
            self.contextname = contextname
            self.zap = ZAPv2(apikey=self.key)
            self.contextid = self.zap.context.new_context(contextname=self.contextname, apikey=self.key)

            self.target = target
            self.contextregex = contextregex


            self.zap.context.include_in_context(self.contextname, self.contextregex, apikey=self.key)


        def authenticateFORM(self, loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod):
            if(authmethod != loginauthmethod.NONE):
                self.loginurl = loginurl
                self.username = username
                self.password = password
                self.authmethod = authmethod
                self.loggedinindicator = loggedinindicator
                self.loggedoutindicator = loggedoutindicator

                self.authmethodconfigparams = "loginUrl={0}&loginRequestData=username%3D%7B%25{1}%25%7D%26password%3D%7B%25{2}%25%7D".format(loginurl, username, password)

                self.authmethodname = self.authmethod.value
                self.zap.authentication.set_authentication_method(self.contextid, self.authmethodname, authmethodconfigparams=self.authmethodconfigparams, apikey=self.key)
                self.zap.authentication.set_logged_in_indicator(self.contextid, self.loggedinindicator, apikey=self.key)
                self.zap.authentication.set_logged_out_indicator(self.contextid, self.loggedoutindicator, apikey=self.key)
                self.userid = self.zap.users.new_user(self.contextid, self.username, apikey=self.key)
                self.credentials = "username={0}&password={1}".format(self.username, self.password)
                self.zap.users.set_authentication_credentials(self.contextid, self.userid, self.credentials, apikey=self.key)
                self.zap.users.set_user_enabled(self.contextid, self.userid, "true", apikey=self.key)
                self.zap.forcedUser.set_forced_user_mode_enabled(True, apikey=self.key)

                self.authisset = True

                print("Please specify authmethod.")

        def authenticateBASIC(self, loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod, realm):
            if(authmethod != loginauthmethod.NONE):
                self.loginurl = loginurl
                self.username = username
                self.password = password
                self.authmethod = authmethod
                self.loggedinindicator = loggedinindicator
                self.loggedoutindicator = loggedoutindicator
                self.realm = realm

                self.authmethodconfigparams = "hostname={0}&realm={1}&port=80".format(self.loginurl, self.realm)

                self.authmethodname = self.authmethod.value
                self.zap.authentication.set_authentication_method(self.contextid, self.authmethodname, authmethodconfigparams=self.authmethodconfigparams, apikey=self.key)
                self.zap.authentication.set_logged_in_indicator(self.contextid, self.loggedinindicator, apikey=self.key)
                self.zap.authentication.set_logged_out_indicator(self.contextid, self.loggedoutindicator, apikey=self.key)
                self.userid = self.zap.users.new_user(self.contextid, self.username, apikey=self.key)
                self.credentials = "username={0}&password={1}".format(self.username, self.password)
                self.zap.users.set_authentication_credentials(self.contextid, self.userid, self.credentials, apikey=self.key)
                self.zap.users.set_user_enabled(self.contextid, self.userid, "true", apikey=self.key)
                self.zap.forcedUser.set_forced_user_mode_enabled(True, apikey=self.key)

                self.authisset = True

                print("Please specify authmethod.")

        def spider(self, target):
                self.scanid = self.zap.spider.scan_as_user(self.contextid, self.userid, url=target)
                self.scanid = self.zap.spider.scan(url=target, contextname=self.contextname)


            while (int(self.zap.spider.status(self.scanid)) < 100):

        def passive_scan(self):
            while (int(self.zap.pscan.records_to_scan) > 0):

        def active_scan(self, target):
            self.scanid = self.zap.ascan.scan(target)
            while (int(self.zap.ascan.status(self.scanid)) < 100):

        def get_alerts(self):
            return self.zap.core.alerts()

        def get_spider(self):
            return self.zap.spider.full_results(self.scanid)

        def context_remove(self):
            self.zap.context.remove_context(self.contextname, apikey=self.key)

        def __str__(self):
            return ("ContextName: " + str(self.contextname) + 
                ", ContextId: " + str(self.contextid) + 
                ", UserId: " + str(self.userid) + 
                ", AuthIsSet: " + str(self.authisset) + 
                ", Key: " + str(self.key) + 
                ", Zap: " + str(self.zap) +
                ", Target: " + str(self.target) +
                ", LoginUrl: " + str(self.loginurl) + 
                ", Username: " + str(self.username) + 
                ", Password: " + str(self.password) + 
                ", AuthMethod: " + str(self.authmethod.value) +
                ", AuthMethodConfigParams: " + str(self.authmethodconfigparams) +
                ", ContextRegex: " + str(self.contextregex) + 
                ", LoggedInIndicator: " + str(self.loggedinindicator) + 
                ", LoggedOutIndicator: " + str(self.loggedoutindicator) + 
                ", Credentials: " + str(self.credentials) + 
                ", ScanId: " + str(self.scanid)

Below is the file that calls the OWASP ZAP class. 下面是调用OWASP ZAP类的文件。

def webapp(target, loginurl, username, password, contextregex, authmethod, loggedinindicator, loggedoutindicator, realm):
    retdata = {}
    if not 'http' in target:
    links = dirb.initialize(target)

    zap = owaspzap()

    zap.initialize(str(datetime.now()), target, contextregex)

    if(authmethod == loginauthmethod.FORM_BASED_AUTHENTICATION):
        zap.authenticateFORM(loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod)
    elif(authmethod == loginauthmethod.HTTP_AUTHENTICATION):
        zap.authenticateBASIC(loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod, realm)

    retdata["spider"] = zap.get_spider()
    retdata["alerts"] = zap.get_alerts()

    return retdata

The parameters used to call webapp are: 用于调用webapp的参数为:

target = http://xxx.xxx.xxx.xxx/
loginurl = http://xxx.xxx.xxx.xxx/login.php
username = 1234
password = qwer
contextregex = \Qhttp://xxx.xxx.xxx.xxx/\E.*
authmethod = loginauthmethod.HTTP_AUTHENTICATION
loggedinindicator = .*This page is hidden.*
loggedoutindicator = .*Login failed.*
realm = test

Also I have the PHP files from the test website. 我也有来自测试网站的PHP文件。

login.php login.php

    $LoginSuccessful = false;

    if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){

        $Username = $_SERVER['PHP_AUTH_USER'];
        $Password = $_SERVER['PHP_AUTH_PW'];

        if ($Username == '1234' && $Password == 'qwer'){
            $LoginSuccessful = true;

    if (!$LoginSuccessful){
        header('WWW-Authenticate: Basic realm="test"');
        header('HTTP/1.0 401 Unauthorized');

        print "Login failed!\n username=1234 and password=qwer";
    else {
        print 'you reached the secret page!';


<form action="hiddenpage.php" method="post">
    <input type = "password" class = "form-control"
               name = "password" placeholder = "password = hiddenpage" >
    <button class = "btn" type = "submit" name = "login">submit</button>

logout.php logout.php

<!doctype html>
<html lang="nl" dir="ltr" class="watermark">
    <link rel="stylesheet" href="back.css" />
  <body >

index.php index.php

<form action="login.php">
    <button class = "btn" type = "submit" name = "login">Login</button>

hiddenpage.php hiddenpage.php

    if (!isset($_SERVER['PHP_AUTH_USER'])) {
        echo 'Text to send if user hits Cancel button';
    } else {
        echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
        echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
    echo shell_exec($_POST["mesje"]);
This page is hidden!!!
<form action="hiddenpage.php" method="post">
    <input type = "text" class = "form-control"
               name = "mesje" placeholder = "password = hiddenpage" >
    <button class = "btn" type = "submit" name = "login">submit</button>

Also here is the output from ZAP. 这也是ZAP的输出。

67588 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - Discard Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control  - Create and Open Untitled Db
67677 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - dataFileCache commit start
67695 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - dataFileCache commit end
67752 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - Database closed
67899 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - open start - state not modified
68116 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - dataFileCache open start
68140 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE  - dataFileCache open end
68936 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on Context: 2019-06-12 12:06:50.023958 at Wed Jun 12 12:06:51 CEST 2019
68944 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...
68981 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
68982 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: 1234
68994 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: 1234
69085 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: 1234
69122 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
69123 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true
75090 [ZAP-ProxyThread-18] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner started
75110 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - Scanning 2 node(s) from
75111 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestPathTraversal strength MEDIUM threshold MEDIUM
75406 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestPathTraversal in 0.296s with 33 message(s) sent and 0 alert(s) raised.
75407 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
75529 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestRemoteFileInclude in 0.122s with 20 message(s) sent and 0 alert(s) raised.
75530 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestServerSideInclude strength MEDIUM threshold MEDIUM
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestServerSideInclude in 0.048s with 8 message(s) sent and 0 alert(s) raised.
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestCrossSiteScriptV2 in 0.048s with 6 message(s) sent and 0 alert(s) raised.
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestPersistentXSSPrime strength MEDIUM threshold MEDIUM
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestPersistentXSSPrime in 0.03s with 2 message(s) sent and 0 alert(s) raised.
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestPersistentXSSSpider strength MEDIUM threshold MEDIUM
75666 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestPersistentXSSSpider in 0.01s with 2 message(s) sent and 0 alert(s) raised.
75667 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestPersistentXSSAttack strength MEDIUM threshold MEDIUM
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestPersistentXSSAttack in 0.005s with 0 message(s) sent and 0 alert(s) raised.
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestSQLInjection strength MEDIUM threshold MEDIUM
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestSQLInjection in 0.371s with 52 message(s) sent and 0 alert(s) raised.
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | CodeInjectionPlugin strength MEDIUM threshold MEDIUM
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | CodeInjectionPlugin in 0.139s with 16 message(s) sent and 0 alert(s) raised.
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | CommandInjectionPlugin strength MEDIUM threshold MEDIUM
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | CommandInjectionPlugin in 0.317s with 64 message(s) sent and 0 alert(s) raised.
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
76513 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestDirectoryBrowsing in 0.014s with 2 message(s) sent and 0 alert(s) raised.
76514 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestExternalRedirect strength MEDIUM threshold MEDIUM
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestExternalRedirect in 0.104s with 18 message(s) sent and 0 alert(s) raised.
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | BufferOverflow strength MEDIUM threshold MEDIUM
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | BufferOverflow in 0.024s with 2 message(s) sent and 0 alert(s) raised.
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | FormatString strength MEDIUM threshold MEDIUM
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | FormatString in 0.037s with 6 message(s) sent and 0 alert(s) raised.
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestInjectionCRLF strength MEDIUM threshold MEDIUM
76761 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestInjectionCRLF in 0.08s with 14 message(s) sent and 0 alert(s) raised.
76762 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | TestParameterTamper strength MEDIUM threshold MEDIUM
76826 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host/plugin | TestParameterTamper in 0.065s with 8 message(s) sent and 0 alert(s) raised.
76827 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - start host | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
76828 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - skipped plugin [no scripts enabled] | ScriptsActiveScanner in 0.001s with 0 message(s) sent and 0 alert(s) raised.
76829 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host in 1.724s
76829 [Thread-9] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 1.739s

And the output from my program 以及我程序的输出

    "spider": [{
        "urlsInScope": [{
            "processed": "true",
             "statusReason": "OK",
             "method": "GET",
             "reasonNotProcessed": "",
             "messageId": "4",
             "url": "",
             "statusCode": "200"
            "processed": "true",
             "statusReason": "Unauthorized",
             "method": "GET",
             "reasonNotProcessed": "",
             "messageId": "6",
             "url": "",
             "statusCode": "401"
        "urlsOutOfScope": []
        "urlsIoError": []
     "alerts": [{
        "sourceid": "3",
         "other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: \nX-XSS-Protection: 1; mode=block\nX-XSS-Protection: 1; report=http://www.example.com/xss\nThe following values would disable it:\nX-XSS-Protection: 0\nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
         Chrome and Safari (WebKit).\nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
         with a non-zero length).",
         "method": "GET",
         "evidence": "",
         "pluginId": "10016",
         "cweid": "933",
         "confidence": "Medium",
         "wascid": "14",
         "description": "Web Browser XSS Protection is not enabled,
         or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
         "messageId": "1",
         "url": "",
         "reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet\nhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
         "solution": "Ensure that the web browser's XSS filter is enabled,
         by setting the X-XSS-Protection HTTP response header to '1'.",
         "alert": "Web Browser XSS Protection Not Enabled",
         "param": "X-XSS-Protection",
         "attack": "",
         "name": "Web Browser XSS Protection Not Enabled",
         "risk": "Low",
         "id": "0"
        "sourceid": "3",
         "other": "This issue still applies to error type pages (401,
         etc) as those pages are often still affected by injection issues,
         in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scanner will not alert on client or server error responses.",
         "method": "GET",
         "evidence": "",
         "pluginId": "10021",
         "cweid": "16",
         "confidence": "Medium",
         "wascid": "15",
         "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body,
         potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set),
         rather than performing MIME-sniffing.",
         "messageId": "1",
         "url": "",
         "reference": "http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx\nhttps://www.owasp.org/index.php/List_of_useful_HTTP_headers",
         "solution": "Ensure that the application/web server sets the Content-Type header appropriately,
         and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.\nIf possible,
         ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all,
         or that can be directed by the web application/web server to not perform MIME-sniffing.",
         "alert": "X-Content-Type-Options Header Missing",
         "param": "X-Content-Type-Options",
         "attack": "",
         "name": "X-Content-Type-Options Header Missing",
         "risk": "Low",
         "id": "1"
        "sourceid": "3",
         "other": "",
         "method": "GET",
         "evidence": "",
         "pluginId": "10020",
         "cweid": "16",
         "confidence": "Medium",
         "wascid": "15",
         "description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.",
         "messageId": "1",
         "url": "",
         "reference": "http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx",
         "solution": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN,
         otherwise if you never expect the page to be framed,
         you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
         "alert": "X-Frame-Options Header Not Set",
         "param": "X-Frame-Options",
         "attack": "",
         "name": "X-Frame-Options Header Not Set",
         "risk": "Medium",
         "id": "2"
        "sourceid": "3",
         "other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: \nX-XSS-Protection: 1; mode=block\nX-XSS-Protection: 1; report=http://www.example.com/xss\nThe following values would disable it:\nX-XSS-Protection: 0\nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
         Chrome and Safari (WebKit).\nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
         with a non-zero length).",
         "method": "GET",
         "evidence": "",
         "pluginId": "10016",
         "cweid": "933",
         "confidence": "Medium",
         "wascid": "14",
         "description": "Web Browser XSS Protection is not enabled,
         or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
         "messageId": "6",
         "url": "",
         "reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet\nhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
         "solution": "Ensure that the web browser's XSS filter is enabled,
         by setting the X-XSS-Protection HTTP response header to '1'.",
         "alert": "Web Browser XSS Protection Not Enabled",
         "param": "X-XSS-Protection",
         "attack": "",
         "name": "Web Browser XSS Protection Not Enabled",
         "risk": "Low",
         "id": "6"

I always recommend trying to get authentication working with the ZAP Desktop UI first - its much easier to see whats going on. 我总是建议首先尝试使身份验证与ZAP桌面用户界面一起使用-它更容易了解发生了什么。 Once you've got that working you can use the same scripts with the ZAP API. 完成这些工作后,就可以将相同的脚本与ZAP API结合使用。 If you cant get it working with the ZAP desktop then you have no hope with the API I'm afraid. 如果您无法在ZAP桌面上使用它,那么恐怕您对API没有希望。

See this FAQ for help with form based authentication, especially the diagnosing problems part: https://github.com/zaproxy/zaproxy/wiki/FAQformauth 请参阅此FAQ,以获取有关基于表单的身份验证的帮助,尤其是诊断问题部分: https : //github.com/zaproxy/zaproxy/wiki/FAQformauth

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

粤ICP备18138465号  © 2020-2024 STACKOOM.COM