如何在ZAP Jenkins作业中通过CSRF令牌验证
我是OWASP ZAP新手,我有一个基于登录的经过身份验证的web应用程序。当我在OWASP中调试时,登录需要动态生成用户名、密码和csrf令牌。 现在要让ZAP jenkins作业成功,我如何在ZAP jenkins作业中传递CSRF令牌 我相信,正因为如此,我的错误率越来越低-如何在ZAP Jenkins作业中通过CSRF令牌验证,jenkins,owasp,zap,Jenkins,Owasp,Zap,我是OWASP ZAP新手,我有一个基于登录的经过身份验证的web应用程序。当我在OWASP中调试时,登录需要动态生成用户名、密码和csrf令牌。 现在要让ZAP jenkins作业成功,我如何在ZAP jenkins作业中传递CSRF令牌 我相信,正因为如此,我的错误率越来越低- [ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ] [ZAP Jenkins Plugin] ALERTS COUNT [ 0 ] 9117 [ZAP-SpiderInit
[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]
9117 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
9117 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: fred
9134 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: USER
9266 [ZAP-SpiderThreadPool-0-thread-1] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0, Size: 0
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.rangeCheck(Unknown Source)
at java.util.ArrayList.get(Unknown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrfTokenValueIfRequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
9270 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authentication failed for user: USER
9326 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: USER
9389 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0, Size: 0
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.rangeCheck(Unknown Source)
at java.util.ArrayList.get(Unknown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrfTokenValueIfRequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
9391 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication failed for user: USER
9438 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
9441 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
managejenkins>>脚本控制台import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
你为什么要绕过它?如果这是可能的,那么使用CSRF令牌的整个概念都是无用的。您是否尝试过通过ZAP桌面复制它?当你能看到正在发生的事情时,调试问题就容易多了。我无法在zap桌面上重现这一点。我只有在运行Jenkins时才会看到这个。你是如何配置ZAP桌面的?您需要以相同的方式配置在Jenkins中运行的ZAP。您在这两种情况下都使用相同版本的ZAP吗?我已经在jenkins从机上配置了ZAP守护程序,并在该从机上运行了作业。我通过添加基于脚本的身份验证,而不是基于表单的身份验证,解决了这个问题。但是,爬行器扫描显示0%的进度,身份验证问题已修复。