Automation framework - silent errors in form based authentication

Describe the bug

I can’t seem to get the authentication on the automation framework to work. I’ve used the automation framework GUI, and tried manually editing the yaml. Perhaps i am not understanding or configuring the session management appropriately but there also seems like a bug because ZAP:ZAP is always used as the username/password in the spider job. My application does set a session cookie if credentials are right and that cookie never expires. There is a logout button but i’ve excluded that from context. Thanks for your help I like the tool.

Steps to reproduce the behavior

1. Start ZAP desktop

2. Include your site in the context (tried making my own, and used default context)

3. Login to your website via form based auth

4. Right click on that request. Flag as form based auth login for default context

5. ZAP should now know how to login. This is successful. For example, in spider i see admin is green

6. Open automation framework GUI

7. Do baseline automation scan on your context

8. Launch plan. Plan succeeds.

9. (error) - View webserver logs. ZAP ZAP was used as user/pass. Not my username password i entered

10. (error) - Looking back at context, my context has new incremented for some reason

11. (error) - I downloaded the plan. I got it to leave auth info in there. When i look on webserver logs, in the spider job, my authentication is never used. Plan is below

---
env:
  contexts:
  - name: "Default Context"
    urls:
    - "http://host.docker.internal:3000"
    includePaths:
    - "http://host.docker.internal:3000.*"
    excludePaths:
    - "http://host.docker.internal:3000/stylesheets.*"
    - "http://host.docker.internal:3000/images.*"
    - "http://host.docker.internal:3000/javascripts.*"
    authentication:
      method: "form"
      parameters:
        loginPageUrl: "http://host.docker.internal:3000/login"
        loginRequestUrl: "http://host.docker.internal:3000/login"
        loginRequestBody: "username={%username%}&password=password"
      verification:
        method: "response"
        pollFrequency: 60
        pollUnits: "requests"
        pollUrl: ""
        pollPostData: ""
    sessionManagement:
      method: "cookie"
      parameters: {}
    users:
    - name: "admin"
      credentials:
        password: "password"
        username: "admin"
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters: {}
  tests:
  - onFail: "INFO"
    statistic: "automation.spider.urls.added"
    site: ""
    operator: ">="
    value: 100
    type: "stats"
    name: "At least 100 URLs found"
  name: "spider"
  type: "spider"
- parameters: {}
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters:
    template: "risk-confidence-html"
    reportDir: "/Users/sowens"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
  name: "report"
  type: "report"

Expected behavior

I expected my username and password i supplied in authentication to work.

Software versions

zap 2.11.1 automation framework 0.18.0

Screenshots

No response

Errors from the zap.log file

This is a dumby app a made so username/password not sensitive. I also added a job at one point to add a header but i don’t think that is important.

2022-10-24 16:17:36,009 [AWT-EventQueue-0] INFO  ENGINE - dataFileCache open start
2022-10-24 16:17:36,010 [AWT-EventQueue-0] INFO  ENGINE - dataFileCache commit start
2022-10-24 16:17:36,010 [AWT-EventQueue-0] INFO  ENGINE - dataFileCache commit end
2022-10-24 16:17:36,011 [AWT-EventQueue-0] INFO  ENGINE - dataFileCache open end
2022-10-24 16:17:41,951 [ZAP-ProxyThread-4] WARN  ProxyThread - An exception occurred while attempting to connect to: https://localhost:3000/login/logout
The exception was: 
Unsupported or unrecognized SSL message
Root cause: 
SSLException: Unsupported or unrecognized SSL message
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/ 
2022-10-24 16:17:48,273 [ZAP-ProxyThread-7] WARN  ProxyThread - An exception occurred while attempting to connect to: https://localhost:3000/dashboard
The exception was: 
Unsupported or unrecognized SSL message
Root cause: 
SSLException: Unsupported or unrecognized SSL message
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/ 
2022-10-24 16:17:49,848 [ZAP-ProxyThread-7] WARN  ProxyThread - An exception occurred while attempting to connect to: https://localhost:3000/
The exception was: 
Unsupported or unrecognized SSL message
Root cause: 
SSLException: Unsupported or unrecognized SSL message
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/ 
2022-10-24 16:17:51,683 [ZAP-ProxyThread-7] WARN  ProxyThread - An exception occurred while attempting to connect to: https://localhost:3000/
The exception was: 
Unsupported or unrecognized SSL message
Root cause: 
SSLException: Unsupported or unrecognized SSL message
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/ 
2022-10-24 16:18:31,403 [ZAP-PassiveScanner] ERROR InsecureAuthenticationScanRule - Invalid Base64 value for Basic Authentication: asdfasdfasdfasdfasdfasdfasdf=
2022-10-24 16:18:31,412 [ZAP-PassiveScanner] INFO  InsecureAuthenticationScanRule - Authentication Credentials were captured. [POST] [http://localhost:3000/login] uses insecure authentication mechanism [Basic], revealing username [null] and password/additional information [null]
2022-10-24 16:18:31,536 [ZAP-PassiveScanner] ERROR InsecureAuthenticationScanRule - Invalid Base64 value for Basic Authentication: asdfasdfasdfasdfasdfasdfasdf=
2022-10-24 16:18:31,543 [ZAP-PassiveScanner] INFO  InsecureAuthenticationScanRule - Authentication Credentials were captured. [GET] [http://localhost:3000/dashboard] uses insecure authentication mechanism [Basic], revealing username [null] and password/additional information [null]
2022-10-24 16:18:31,563 [ZAP-PassiveScanner] ERROR InsecureAuthenticationScanRule - Invalid Base64 value for Basic Authentication: asdfasdfasdfasdfasdfasdfasdf=
2022-10-24 16:18:31,570 [ZAP-PassiveScanner] INFO  InsecureAuthenticationScanRule - Authentication Credentials were captured. [GET] [http://localhost:3000/stylesheets/style.css] uses insecure authentication mechanism [Basic], revealing username [null] and password/additional information [null]
2022-10-24 16:18:38,692 [AWT-EventQueue-0] INFO  PostBasedAuthenticationMethodType - Selected new login request via PopupMenu. Creating new Form-based Authentication instance for Context 1
2022-10-24 16:20:15,054 [ZAP-Automation] INFO  CommandLine - Job spider started
2022-10-24 16:20:15,055 [ZAP-Automation] INFO  CommandLine - Job spider requesting URL http://localhost:3000
2022-10-24 16:20:15,126 [ZAP-SpiderInitThread-0] INFO  SpiderThread - Starting spidering scan on Context: Default Context at 2022-10-24T16:20:15.126-0500
2022-10-24 16:20:15,128 [ZAP-SpiderInitThread-0] INFO  Spider - Spider initializing...
2022-10-24 16:20:15,140 [ZAP-SpiderInitThread-0] INFO  Spider - Starting spider...
2022-10-24 16:20:15,703 [ZAP-SpiderThreadPool-0-thread-1] WARN  URLCanonicalizer - Host could not be reliably evaluated from: http://тест (on base http://localhost:3000/api/swagger/swagger-ui-bundle.js)
2022-10-24 16:20:15,995 [ZAP-SpiderThreadPool-0-thread-2] INFO  Spider - Spidering process is complete. Shutting down...
2022-10-24 16:20:15,996 [ZAP-SpiderShutdownThread-0] INFO  SpiderThread - Spider scanning complete: true on Context: Default Context at 2022-10-24T16:20:15.996-0500
2022-10-24 16:20:16,134 [ZAP-Automation] INFO  CommandLine - Job spider found 51 URLs
2022-10-24 16:20:16,135 [ZAP-Automation] INFO  CommandLine - Job spider test of type stats failed: At least 100 URLs found [51 < 100]
2022-10-24 16:20:16,136 [ZAP-Automation] INFO  CommandLine - Job spider finished
2022-10-24 16:20:16,136 [ZAP-Automation] INFO  CommandLine - Job passiveScan-wait started
2022-10-24 16:20:16,660 [ZAP-PassiveScanner] ERROR InsecureAuthenticationScanRule - Invalid Base64 value for Basic Authentication: asdfasdfasdfasdfasdfasdfasdf=
2022-10-24 16:20:16,664 [ZAP-PassiveScanner] INFO  InsecureAuthenticationScanRule - Authentication Credentials were captured. [GET] [http://localhost:3000] uses insecure authentication mechanism [Basic], revealing username [null] and password/additional information [null]
2022-10-24 16:20:16,695 [ZAP-PassiveScanner] ERROR InsecureAuthenticationScanRule - Invalid Base64 value for Basic Authentication: asdfasdfasdfasdfasdfasdfasdf=
2022-10-24 16:20:16,698 [ZAP-PassiveScanner] INFO  InsecureAuthenticationScanRule - Authentication Credentials were captured. [GET] [http://localhost:3000] uses insecure authentication mechanism [Basic], revealing username [null] and password/additional information [null]
2022-10-24 16:38:16,959 [ZAP-Automation] INFO  CommandLine - Job passiveScan-wait finished
2022-10-24 16:38:16,959 [ZAP-Automation] INFO  CommandLine - Job report started
2022-10-24 16:38:17,107 [ZAP-Automation] INFO  CommandLine - Job report generated report /Users/sowens/2022-10-24-ZAP-Report-localhost.html
2022-10-24 16:38:17,107 [ZAP-Automation] INFO  CommandLine - Job report finished
sowens-ltm:owasp-zap sowens$ 

Additional context

No response

Would you like to help fix this issue?

• Yes