Authentication script based does not start. #2516

hamza86 · 2024-06-13T14:02:11Z

hamza86
Jun 13, 2024

Hi all,
I'm trying to pentest our rest API by using zap-advanced. Based on the example "authentication script based", my script for the authentication should inject the bearer token. The issue is that the script does not start, but i'm getting a warning:

2024-06-13 09:42 ZapClient INFO : Loading new Script 'scb-oidc-password-grand-type.js' at '/home/scripts/scb-oidc-password-grand-type.js' with type: 'authentication' and engine 'Oracle Nashorn'
2024-06-13 09:42 ZapClient INFO : Activating Script 'scb-oidc-password-grand-type.js' with 'enabled: true'
2024-06-13 09:42 ZapClient WARNING : Failed to call ZAP Method ['script.enable'], result is: 'illegal_parameter'

my configuration looks like:
2-zap-advanced-scan.yaml: |- global: addonUpdate: true # -- Installs additional ZAP AddOns on startup, listed by their name: addonInstall: - pscanrulesBeta - ascanrulesBeta - pscanrulesAlpha - ascanrulesAlpha includePaths: - "https://xxxxxxxx.*" contexts: - name: pentest authentication: type: "script-based" script-based: name: scb-oidc-password-grand-type.js engine: "Oracle Nashorn" filePath: "/home/scripts/scb-oidc-password-grand-type.js" description: "This is a description for the SCB OIDC Script." arguments: url: "https://test/token" clientId: "xxxxxxxx" clientSecret: "yyyyyyy" users: - name: technical-user username: ******** password: ******** forced: true

my script:
`var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader"),
HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"),
URI = Java.type("org.apache.commons.httpclient.URI");

function authenticate(helper, paramsValues, credentials) {
print("Authentication via scb-oidc-password-grand-type.js...");

// Prepare the login request details
var url = paramsValues.get("url");
var clientId = paramsValues.get("clientId");
var clientSecret = paramsValues.get("clientSecret");
print("Logging in to url: " + url + " clientId: " + clientId);
print("logging in to client secret: " + clientSecret);

var username = credentials.getParam("username");
var password = credentials.getParam("password");

var requestUri = new URI(url, false);
var requestMethod = HttpRequestHeader.POST;

// Build the request body using the credentials values
// This auth is based on the grand type "password" to retrieve fresh tokens
// https://developer.okta.com/blog/2018/06/29/what-is-the-oauth2-password-grant

var params = [];
params.push(new HtmlParameter(HtmlParameter.Type.form, 'grant_type', 'password'));
params.push(new HtmlParameter(HtmlParameter.Type.form, 'username', username));
params.push(new HtmlParameter(HtmlParameter.Type.form, 'password', password));

params.push(new HtmlParameter(HtmlParameter.Type.form, 'client_secret', clientSecret));
params.push(new HtmlParameter(HtmlParameter.Type.form, 'client_id', clientId));


var requestBody = params.map(function(param) {
    return encodeURIComponent(param.getName()) + '=' + encodeURIComponent(param.getValue());
}).join('&');

// Build the actual message to be sent
print("Sending " + requestMethod + " request to " + requestUri + " with body: " + requestBody);
var msg = helper.prepareMessage();
msg.setRequestBody(requestBody);

var requestHeader = new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10);
msg.setRequestHeader(requestHeader);
print("Msg prepared")

// Send the authentication message and return it
try {
    helper.sendAndReceive(msg);
    print("Received response status code for authentication request: " + msg.getResponseHeader().getStatusCode());
    return msg;
} catch (err) {
    print("**********************   Got error");
    print(err);
}

return null

}

function getRequiredParamsNames() {
return ["url", "clientId","clientSecret"];
}

function getOptionalParamsNames() {
return [];
}

function getCredentialsParamsNames() {
return ["username", "password"];
}
`

J12934 · 2024-06-13T20:08:53Z

J12934
Jun 13, 2024
Maintainer

Hi 👋

Can recommend first trying and debugging ZAP Scripts first in the ZAP Ui.

Debugging them in any automation setting like the secureCodeBox is a lot harder.

If the script in the ZAP zu it should also work in the SCB.

Also fyi the zap advanced scantype will be deprecated soon and be replaced with the official zap automation framework. See PR #3287

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authentication script based does not start. #2516

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Authentication script based does not start. #2516

Uh oh!

Uh oh!

hamza86 Jun 13, 2024

Replies: 1 comment

Uh oh!

J12934 Jun 13, 2024 Maintainer

hamza86
Jun 13, 2024

J12934
Jun 13, 2024
Maintainer