无法绕过ZAP中的SSL认证验证

如何解决无法绕过ZAP中的SSL认证验证

我正在使用Jenkins在Owasp ZAP中执行基于表单的身份验证。我有一个网http://localhost/webui/login 启动上面的Web链接后，将有一个SSL证书身份验证，我必须单击“继续”，然后登录到Web。

现在我已经在Jenkins中进行配置，Jenkins尝试启动ZAP守护程序模式并尝试启动蜘蛛扫描，但是一旦蜘蛛扫描开始，该作业便会失败，并提到身份验证失败。

[ZAP Jenkins Plugin] SPIDER SCAN THE SITE [ https://localhost/webui ] AS USER [ User ]

9103 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on Context: SecurityTest at Mon Sep 28 13:02:55 EDT 2020
9108 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: User
9168 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: User
9323 [ZAP-SpiderThreadPool-0-thread-1] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType  - Unable to prepare authentication message: Index: 0,Size: 0
java.lang.indexoutofboundsexception: Index: 0,Size: 0
    at java.util.ArrayList.rangeCheck(UnkNown Source)
    at java.util.ArrayList.get(UnkNown Source)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
    at org.zaproxy.zap.users.User.authenticate(User.java:265)
    at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
    at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
    at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
    at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
    at java.lang.Thread.run(UnkNown Source)
9328 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authentication Failed for user: User
9386 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: User
9447 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType  - Unable to prepare authentication message: Index: 0,Size: 0
    at java.util.ArrayList.rangeCheck(UnkNown Source)
    at java.util.ArrayList.get(UnkNown Source)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
    at org.zaproxy.zap.users.User.authenticate(User.java:265)
    at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
    at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
    at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
    at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
    at java.lang.Thread.run(UnkNown Source)
9448 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User  - Authentication Failed for user: User
9463 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
9466 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true
[ZAP Jenkins Plugin] AJAX SPIDER ENABLED [ FALSE ]

我有一种直觉，即由于SSL证书验证，身份验证失败。是否可以通过命令开关在ZAP中绕过它？或通过詹金斯（Jenkins）？

或者我也看到用户名和密码也生成了csrf令牌，这可能是一个问题吗？ 如果是这样，如何在Jenkins ZAP作业中绕过CSRF令牌？

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。