ZAP Spider can't find form request on DVWA - zap

I'm tring using OWASP ZAP and DVWA. I want to find all request using spider. I was setting below:
login admin user
include default context
Flag as Context: Formed-based Auth Login Request
add admin user
Forced user mode enable
Flag as Context: Authentication Logged-in indicator
try to spider:
https://github.com/makaaso/stackoverflow/blob/main/zap-dvwa1.png
result below:
https://github.com/makaaso/stackoverflow/blob/main/zap-dvwa2.png
I expect below(this is manual scan result):
https://github.com/makaaso/stackoverflow/blob/main/zap-dvwa3.png
Is it possible to find request with parameter using spider?

I did below and the spider was able to find the csrf URLs with parameters, I am using ZAP 2.10.0 and DVWA master zip package.
start a new session
double click Contexts / Default Context
Include in Context: https://127.0.0.1/dvwa/.*
Authentication - Formed-based Auth Login Request
Login Form Targe URL: https://127.0.0.1/dvwa/login.php
URL to get login form: https://127.0.0.1/dvwa/login.php
Login request post data: username={%username%}&password={%password%}&user_token={%user_token%}&Login=Login
Regx pattern for Logged In message: \QLocation: index.php\E
add user: admin / password
Excluded from Spider: \Qhttps://127.0.0.1/dvwa/logout.php\E
enable Forced user mode
Tools / Options / Anti-CSRF Tokens - add user_token
right click Contexts / Default Context > Spider
Starting point: https://127.0.0.1/dvwa/, select admin user
start scan
Spider Messages show
...
https://127.0.0.1/dvwa/vulnerabilities/csrf/
https://127.0.0.1/dvwa/vulnerabilities/csrf/?Change=Change&password_conf=ZAP&password_current=ZAP&password_new=ZAP&user_token=5bbc6fdff77b435b3f754518d236a368
https://127.0.0.1/dvwa/vulnerabilities/csrf/index.php
https://127.0.0.1/dvwa/vulnerabilities/csrf/index.php?Change=Change&password_conf=ZAP&password_current=ZAP&password_new=ZAP&user_token=3a8691e372ddd7b6f2c30f2a3feae1be
...

Related

Keycloak: Disable redirect to account page after password reset and show message

I am using Keycloak and I want to enable Forgot password flow. I have enabled Forgot password in login and configured SMTP to send email.
What I get out of the box from keycloak is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> User is logged in then The user is redirected to account page.
What I want to acheive is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> Display a message saying "Your password has been updated." and do not login the user. stay on that page.
The reason for this is, for my use-case, the user shouldn't access the account page on Keycloak.
In the authentication flow of reset credentials, I can only configure up to reset credentials.
Is there any way I can disable this action of logging in the user automatically after password reset, then redirecting to account page?
I have looked into several questions, but I cannot find an answer on how this can be achieved.
PS: I am using Keycloak docker image with a custom theme. If this can be configured using custom theme options, I have the chance to do it.
Thank you in advance.
Go to your keaycloak admin console, Authentication and desable "Update Profile"
Hopo it helps :)
We faced similar issue during keycloak usage and solved it via implementing custom Action Token and Action token handler (docs). Also check out original keycloak reset credentials action token sources:
ActionToken
ActionTokenHandler
Try to play around AbstractActionTokenHander.startFreshAuthenticationSession() there several attributes that define Keycloak behaviour during reset flow like:
authSession.setRedirectUri(token.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM));
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
If you're using your own client for the login page, the specified redirect, or the client default (Base URL) will direct where the user is sent after the password reset.
We did see that when using an admin-directed password reset, this behavior would occur (user sent to Keycloak account page). So, we simply adjusted the Base URL value for the account client so that it points to the home page of our primarily application.
Then, after the account client is used to reset the password, the default redirect is to our home page.

JIRA CLI Commandline Not Authenticating With Password Federation

I'm having a few problems getting this JIRA commandline to work:
C:\tools\atlassian-cli-7.8.0>jira.bat --debug --verbose --options
basicAuthentication --server "https://jira01.COMPANY.com" --user
FIRST.LAST#COMPANY.COM --password PASSWORD --action getServerInfo
It connects to the JIRA server, but gives this error:
org.swift.common.cli.CliClient$RemoteDisallowedException: User
'FIRST.LAST#COMPANY.COM' is not allowed to log in at this point in
time perhaps due to CAPTCHA requirements or too many failed login
requests.
This error always occurs despite the fact:
JIRA Web > Profile > Username is what I'm using to log in.
JIRA Web >
Profile > Groups is jira-software-users
The password provided to the
commandline is indeed the one that works when I login via the web.
I
have tried this both with and without --options basicAuthentication
This occurs regardless of how many times I successfully log out / log
in to the JIRA web UI.
Whenever I go to JIRA Web > Profile > Change
Password, it says: "Too many incorrect login attempts: Please log out
and log in again to access this function." (This also occurs
regardless of how many times I successfully log out / log in to the
JIRA web UI.)
A CAPTCHA is never shown on the JIRA Web UI's login.
NOTE: When we login to JIRA web ui, our company appears to defer to
federated authentication via "https://login.microsoftonline.com" into
which we provide the credentials we're providing the script, which
then takes us into JIRA.
Questions:
How to get the commandline tool / jira server to accept the same credentials the jira web ui does?
Is this a permissions issue or something involving the password federation?
Suggestions for how to get this to work?
How to get it to actually clear the "too many incorrect logins" issue?
Cheers & Thanks!
-Roberto
Full trace of command is:
URL requested:
https://jira01.COMPANY.com/rest/org.swift.jira.cli/latest/validatelicense
Request type: GET Content type: application/json options:
basicauthentication URL requested:
https://jira01.COMPANY.com/rest/auth/1/session Request type: POST
Content type: application/json Using basic authentication. Request
property X-Atlassian-Token, value: [no-check] Request property
Content-Language, value: [en-US] Request property Content-Type, value:
[application/json] json: {} Problem determination - response: 403:
null Problem determination - response url:
https://jira01.COMPANY.com/rest/auth/1/session Problem determination -
request url: https://jira01.COMPANY.com/rest/auth/1/session Problem
determination - response data:
Forbidden (403)
...
Remote error: User 'FIRST.LAST#COMPANY.COM' is not allowed to log in
at this point in time perhaps due to CAPTCHA requirements or too many
failed login requests. Go to the user interface and login to clear the
problem.
org.swift.common.cli.CliClient$RemoteDisallowedException: User
'FIRST.LAST#COMPANY.com' is not allowed to log in at this point in
time perhaps due to CAPTCHA requirements or too many failed login
requests. Go to the user interface and login to clear the problem. at
org.swift.jira.cli.helpers.AuthenticationHelper.login(AuthenticationHelper.java:196)
at
org.swift.jira.cli.helpers.AuthenticationHelper.login(AuthenticationHelper.java:157)
at
org.swift.common.cli.helpers.DefaultAuthenticationHelper.handleCookies(DefaultAuthenticationHelper.java:124)
at
org.swift.jira.cli.JiraClient.getAuthenticationHelper(JiraClient.java:185)
at
org.swift.jira.cli.JiraClient.getAuthenticationHelper(JiraClient.java:107)
at
org.swift.common.cli.helpers.DefaultRequestHelper.setConnectionProperties(DefaultRequestHelper.java:1043)
at
org.swift.common.cli.helpers.DefaultRequestHelper.setConnectionProperties(DefaultRequestHelper.java:1030)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeRequestWithUrlConnection(DefaultRequestHelper.java:724)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeUrlRequest(DefaultRequestHelper.java:690)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeRequest(DefaultRequestHelper.java:660)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeStandardRequest(DefaultRequestHelper.java:648)
at
org.swift.common.cli.helpers.AppfireRequestHelper.getServerInfo(AppfireRequestHelper.java:118)
at
org.swift.jira.cli.JiraClient.getRemoteServerInfo(JiraClient.java:2493)
at org.swift.jira.cli.JiraClient.getServerInfo(JiraClient.java:2455)
at org.swift.jira.cli.JiraClient.handleRequest(JiraClient.java:840) at
org.swift.common.cli.DefaultRemoteClient.process(DefaultRemoteClient.java:729)
at org.swift.common.cli.CliClient.doWork(CliClient.java:674) at
org.swift.common.cli.CliClient.doWork(CliClient.java:631) at
org.swift.jira.cli.JiraClient.main(JiraClient.java:166)
I managed to get this working by creating an API token and using that as the password. You can create an API token by visiting the https://id.atlassian.com/ site and selecting the API tokens on the left pane.
I hope this helps.

Jmeter testing for Login

I have to test a web-app for login using Jmeter.
How is that done?
Should I give the path of the login page in the HTTP Request sampler and add the username and password to the login config element?
It needs to be realistic hence your test should be designed as follows:
HTTP GET Request (simulate opening Login page with a browser)
Post Processor to fetch dynamic parameters values (if any)
HTTP POST Request (login event itself) where you pass your credentials and dynamic parameters
(optional) Response Assertion to verify that user is really logged i
I would also recommend adding HTTP Cookie Manager to represent browser cookies and deal with cookie-based authentication.
See How To Use JMeter For Login Authentication guide for step-by-step overview and demo

Authentication mechanishim in publish

Experts,
I have to implement authentication mechanism same as how author instance works. For example, if any user request for any page http:somehost:someport/content/geometrixx/en.html then system should open the page http:somehost:someport/content/geometrixx/en/toolbar/account/login.html and only after successful login sling should redirect to required page.
I looked into Login Selector Authentication Handler and Sling Authentication Service but it seems there is no configuration here. Could you please let me know your thoughts on how to proceed on this? How it will be possible without CUG and how similer mechanism works in Author instance?
Goto http:somehost:someport/useradmin search for anonymous user. click on the anonymous user -> click on permission tab -> remove the read permission on the path that shouldn't be accessible to anonymous users.
If you just want to redirect to the login page if the user is unauthenticated then you will have to do 2 things.
1. Go to /system/console and navigate to the Configuration. Select "Apache Sling Authentication Service". Disable Anonymous access.
2. Go to /libs/cq/security/config.publish/LoginSelectorHandler - Change the login page to the page you want.

j_security_check is not available if user is already logged in

Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.