如何解决无法绕过ZAP中的SSL认证验证
我正在使用Jenkins在Owasp ZAP中执行基于表单的身份验证。我有一个网http://localhost/webui/login
启动上面的Web链接后,将有一个SSL证书身份验证,我必须单击“继续”,然后登录到Web。
现在我已经在Jenkins中进行配置,Jenkins尝试启动ZAP守护程序模式并尝试启动蜘蛛扫描,但是一旦蜘蛛扫描开始,该作业便会失败,并提到身份验证失败。
[ZAP Jenkins Plugin] SPIDER SCAN THE SITE [ https://localhost/webui ] AS USER [ User ]
9103 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: SecurityTest at Mon Sep 28 13:02:55 EDT 2020
9108 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]
9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: User
9168 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: User
9323 [ZAP-SpiderThreadPool-0-thread-1] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0,Size: 0
java.lang.indexoutofboundsexception: Index: 0,Size: 0
at java.util.ArrayList.rangeCheck(UnkNown Source)
at java.util.ArrayList.get(UnkNown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
at java.lang.Thread.run(UnkNown Source)
9328 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authentication Failed for user: User
9386 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: User
9447 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0,Size: 0
at java.util.ArrayList.rangeCheck(UnkNown Source)
at java.util.ArrayList.get(UnkNown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
at java.lang.Thread.run(UnkNown Source)
9448 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication Failed for user: User
9463 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
9466 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
[ZAP Jenkins Plugin] AJAX SPIDER ENABLED [ FALSE ]
我有一种直觉,即由于SSL证书验证,身份验证失败。是否可以通过命令开关在ZAP中绕过它?或通过詹金斯(Jenkins)?
或者我也看到用户名和密码也生成了csrf令牌,这可能是一个问题吗? 如果是这样,如何在Jenkins ZAP作业中绕过CSRF令牌?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。