Php Python OWASP ZAP API没有';似乎无法成功验证http basic
我在使用API对我创建的网站进行身份验证扫描时遇到问题。此(测试)网站使用HTTP基本身份验证。启动扫描时,它似乎找不到登录后的网页 下面您可以找到我为使用zapapi而创建的Python类(可能并不完美)Php Python OWASP ZAP API没有';似乎无法成功验证http basic,php,python,basic-authentication,owasp,zap,Php,Python,Basic Authentication,Owasp,Zap,我在使用API对我创建的网站进行身份验证扫描时遇到问题。此(测试)网站使用HTTP基本身份验证。启动扫描时,它似乎找不到登录后的网页 下面您可以找到我为使用zapapi而创建的Python类(可能并不完美) 从时间导入睡眠 从pprint导入pprint 导入json 从pathlib导入路径 从zapv2导入zapv2 从loginauthmethod导入loginauthmethod 将open(路径('../Scripts/config.json'),'r')作为f: config=jso
从时间导入睡眠
从pprint导入pprint
导入json
从pathlib导入路径
从zapv2导入zapv2
从loginauthmethod导入loginauthmethod
将open(路径('../Scripts/config.json'),'r')作为f:
config=json.load(f)
类owaspzap():
key=config['ZAProxy']['key']
zap=ZAPv2(apikey=key)
contextname=None
contextid=None
userid=None
authisset=False
目标=无
loginurl=None
用户名=无
密码=无
authmethod=loginauthmethod.NONE
authmethodname=None
authmethodconfigparams=None
contextregex=None
loggedinindicator=无
loggedoutindicator=无
凭据=无
scanid=None
领域=无
def初始化(self、contextname、target、contextregex):
self.contextname=contextname
self.zap=ZAPv2(apikey=self.key)
self.zap.core.new_会话(apikey=self.key)
self.contextid=self.zap.context.new_context(contextname=self.contextname,apikey=self.key)
self.target=目标
self.contextregex=contextregex
if(self.zap.core.alerts()):
self.zap.core.delete_all_警报(apikey=self.key)
self.zap.context.在上下文中包含(self.contextname,self.contextregex,apikey=self.key)
self.zap.urlopen(self.target)
def authenticateFORM(self、loginurl、用户名、密码、LoggedIndicator、loggedoutindicator、authmethod):
如果(authmethod!=loginauthmethod.NONE):
self.loginurl=loginurl
self.username=用户名
self.password=密码
self.authmethod=authmethod
self.loggedinindicator=loggedinindicator
self.loggedoutindicator=loggedoutindicator
self.authmethodconfigparams=“loginUrl={0}&loginRequestData=用户名%3D%7B%25{1}%25%7D%26密码%3D%7B%25{2}%25%7D”。格式(loginUrl、用户名、密码)
self.authmethodname=self.authmethod.value
self.zap.authentication.set_authentication_方法(self.contextid,self.authmethodname,authmethodconfigparams=self.authmethodconfigparams,apikey=self.key)
self.zap.authentication.set_logged_in_指示符(self.contextid,self.loggedinindicator,apikey=self.key)
self.zap.authentication.set_logged_out_指示符(self.contextid,self.loggedoutindicator,apikey=self.key)
self.userid=self.zap.users.new_用户(self.contextid,self.username,apikey=self.key)
self.credentials=“username={0}&password={1}”。格式(self.username,self.password)
self.zap.users.set_authentication_凭据(self.contextid、self.userid、self.credentials、apikey=self.key)
self.zap.users.set_user_enabled(self.contextid,self.userid,“true”,apikey=self.key)
self.zap.forcedUser.set_forced_user_mode_enabled(True,apikey=self.key)
self.authisset=True
其他:
打印(“请指定authmethod。”)
def authenticateBASIC(self、loginurl、用户名、密码、LoggedIndicator、loggedoutindicator、authmethod、领域):
如果(authmethod!=loginauthmethod.NONE):
self.loginurl=loginurl
self.username=用户名
self.password=密码
self.authmethod=authmethod
self.loggedinindicator=loggedinindicator
self.loggedoutindicator=loggedoutindicator
self.realm=领域
self.authmethodconfigparams=“hostname={0}&realm={1}&port=80”。格式(self.loginurl,self.realm)
self.authmethodname=self.authmethod.value
self.zap.authentication.set_authentication_方法(self.contextid,self.authmethodname,authmethodconfigparams=self.authmethodconfigparams,apikey=self.key)
self.zap.authentication.set_authentication_方法
self.zap.authentication.set_logged_in_指示符(self.contextid,self.loggedinindicator,apikey=self.key)
self.zap.authentication.set_logged_out_指示符(self.contextid,self.loggedoutindicator,apikey=self.key)
self.userid=self.zap.users.new_用户(self.contextid,self.username,apikey=self.key)
self.credentials=“username={0}&password={1}”。格式(self.username,self.password)
self.zap.users.set_authentication_凭据(self.contextid、self.userid、self.credentials、apikey=self.key)
self.zap.users.set_user_enabled(self.contextid,self.userid,“true”,apikey=self.key)
self.zap.forcedUser.set_forced_user_mode_enabled(True,apikey=self.key)
self.authisset=True
其他:
打印(“请指定authmethod。”)
def卡盘(自身、目标):
如果(自授权集):
self.scanid=self.zap.spider.scan_为_用户(self.contextid,self.userid,url=target)
其他:
self.scanid=self.zap.spider.scan(url=target,contextname=self.contextname)
睡眠(2)
而(int(self.zap.spider.status(self.scanid))<100):
睡眠(2)
def被动_扫描(自身):
而(int(self.zap.pscan.records\u to\u scan)>0):
睡眠(2)
def主动_扫描(自身、目标):
self.scanid=self.zap.ascan.scan
target = http://xxx.xxx.xxx.xxx/
loginurl = http://xxx.xxx.xxx.xxx/login.php
username = 1234
password = qwer
contextregex = \Qhttp://xxx.xxx.xxx.xxx/\E.*
authmethod = loginauthmethod.HTTP_AUTHENTICATION
loggedinindicator = .*This page is hidden.*
loggedoutindicator = .*Login failed.*
realm = test
67588 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - Discard Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db
67677 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache commit start
67695 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache commit end
67752 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - Database closed
67899 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - open start - state not modified
68116 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache open start
68140 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache open end
68936 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: 2019-06-12 12:06:50.023958 at Wed Jun 12 12:06:51 CEST 2019
68944 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
68981 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
68982 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: 1234
68994 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: 1234
69085 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: 1234
69122 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
69123 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
75090 [ZAP-ProxyThread-18] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
75110 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 2 node(s) from http://192.168.2.131
75111 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPathTraversal strength MEDIUM threshold MEDIUM
75406 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPathTraversal in 0.296s with 33 message(s) sent and 0 alert(s) raised.
75407 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
75529 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestRemoteFileInclude in 0.122s with 20 message(s) sent and 0 alert(s) raised.
75530 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestServerSideInclude strength MEDIUM threshold MEDIUM
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestServerSideInclude in 0.048s with 8 message(s) sent and 0 alert(s) raised.
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestCrossSiteScriptV2 in 0.048s with 6 message(s) sent and 0 alert(s) raised.
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSPrime strength MEDIUM threshold MEDIUM
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSPrime in 0.03s with 2 message(s) sent and 0 alert(s) raised.
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSSpider strength MEDIUM threshold MEDIUM
75666 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSSpider in 0.01s with 2 message(s) sent and 0 alert(s) raised.
75667 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSAttack strength MEDIUM threshold MEDIUM
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSAttack in 0.005s with 0 message(s) sent and 0 alert(s) raised.
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestSQLInjection strength MEDIUM threshold MEDIUM
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestSQLInjection in 0.371s with 52 message(s) sent and 0 alert(s) raised.
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | CodeInjectionPlugin strength MEDIUM threshold MEDIUM
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | CodeInjectionPlugin in 0.139s with 16 message(s) sent and 0 alert(s) raised.
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | CommandInjectionPlugin strength MEDIUM threshold MEDIUM
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | CommandInjectionPlugin in 0.317s with 64 message(s) sent and 0 alert(s) raised.
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
76513 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestDirectoryBrowsing in 0.014s with 2 message(s) sent and 0 alert(s) raised.
76514 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestExternalRedirect strength MEDIUM threshold MEDIUM
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestExternalRedirect in 0.104s with 18 message(s) sent and 0 alert(s) raised.
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | BufferOverflow strength MEDIUM threshold MEDIUM
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | BufferOverflow in 0.024s with 2 message(s) sent and 0 alert(s) raised.
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | FormatString strength MEDIUM threshold MEDIUM
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | FormatString in 0.037s with 6 message(s) sent and 0 alert(s) raised.
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestInjectionCRLF strength MEDIUM threshold MEDIUM
76761 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestInjectionCRLF in 0.08s with 14 message(s) sent and 0 alert(s) raised.
76762 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestParameterTamper strength MEDIUM threshold MEDIUM
76826 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestParameterTamper in 0.065s with 8 message(s) sent and 0 alert(s) raised.
76827 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
76828 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled] http://192.168.2.131 | ScriptsActiveScanner in 0.001s with 0 message(s) sent and 0 alert(s) raised.
76829 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host http://192.168.2.131 in 1.724s
76829 [Thread-9] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 1.739s
{
"spider": [{
"urlsInScope": [{
"processed": "true",
"statusReason": "OK",
"method": "GET",
"reasonNotProcessed": "",
"messageId": "4",
"url": "http://192.168.2.131/",
"statusCode": "200"
},
{
"processed": "true",
"statusReason": "Unauthorized",
"method": "GET",
"reasonNotProcessed": "",
"messageId": "6",
"url": "http://192.168.2.131/login.php",
"statusCode": "401"
}]
},
{
"urlsOutOfScope": []
},
{
"urlsIoError": []
}],
"alerts": [{
"sourceid": "3",
"other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: \nX-XSS-Protection: 1; mode=block\nX-XSS-Protection: 1; report=http://www.example.com/xss\nThe following values would disable it:\nX-XSS-Protection: 0\nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
Chrome and Safari (WebKit).\nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
with a non-zero length).",
"method": "GET",
"evidence": "",
"pluginId": "10016",
"cweid": "933",
"confidence": "Medium",
"wascid": "14",
"description": "Web Browser XSS Protection is not enabled,
or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet\nhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
"solution": "Ensure that the web browser's XSS filter is enabled,
by setting the X-XSS-Protection HTTP response header to '1'.",
"alert": "Web Browser XSS Protection Not Enabled",
"param": "X-XSS-Protection",
"attack": "",
"name": "Web Browser XSS Protection Not Enabled",
"risk": "Low",
"id": "0"
},
{
"sourceid": "3",
"other": "This issue still applies to error type pages (401,
403,
500,
etc) as those pages are often still affected by injection issues,
in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scanner will not alert on client or server error responses.",
"method": "GET",
"evidence": "",
"pluginId": "10021",
"cweid": "16",
"confidence": "Medium",
"wascid": "15",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body,
potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set),
rather than performing MIME-sniffing.",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx\nhttps://www.owasp.org/index.php/List_of_useful_HTTP_headers",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately,
and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.\nIf possible,
ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all,
or that can be directed by the web application/web server to not perform MIME-sniffing.",
"alert": "X-Content-Type-Options Header Missing",
"param": "X-Content-Type-Options",
"attack": "",
"name": "X-Content-Type-Options Header Missing",
"risk": "Low",
"id": "1"
},
{
"sourceid": "3",
"other": "",
"method": "GET",
"evidence": "",
"pluginId": "10020",
"cweid": "16",
"confidence": "Medium",
"wascid": "15",
"description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx",
"solution": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN,
otherwise if you never expect the page to be framed,
you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
"alert": "X-Frame-Options Header Not Set",
"param": "X-Frame-Options",
"attack": "",
"name": "X-Frame-Options Header Not Set",
"risk": "Medium",
"id": "2"
},
{
"sourceid": "3",
"other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: \nX-XSS-Protection: 1; mode=block\nX-XSS-Protection: 1; report=http://www.example.com/xss\nThe following values would disable it:\nX-XSS-Protection: 0\nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
Chrome and Safari (WebKit).\nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
with a non-zero length).",
"method": "GET",
"evidence": "",
"pluginId": "10016",
"cweid": "933",
"confidence": "Medium",
"wascid": "14",
"description": "Web Browser XSS Protection is not enabled,
or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
"messageId": "6",
"url": "http://192.168.2.131/login.php",
"reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet\nhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
"solution": "Ensure that the web browser's XSS filter is enabled,
by setting the X-XSS-Protection HTTP response header to '1'.",
"alert": "Web Browser XSS Protection Not Enabled",
"param": "X-XSS-Protection",
"attack": "",
"name": "Web Browser XSS Protection Not Enabled",
"risk": "Low",
"id": "6"
}]
}