问题描述
我正在使用Jenkins在Owasp ZAP中执行基于表单的身份验证。我有一个网http://localhost/webui/login
启动上面的Web链接后,将有一个SSL证书身份验证,我必须单击“继续”,然后登录到Web。
现在我已经在Jenkins中进行配置,Jenkins尝试启动ZAP守护程序模式并尝试启动蜘蛛扫描,但是一旦蜘蛛扫描开始,该作业便会失败,并提到身份验证失败。
[ZAP Jenkins Plugin] SPIDER SCAN THE SITE [ https://localhost/webui ] AS USER [ User ]
9103 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: SecurityTest at Mon Sep 28 13:02:55 EDT 2020
9108 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]
9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
9143 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: User
9168 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: User
9323 [ZAP-SpiderThreadPool-0-thread-1] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0,Size: 0
java.lang.indexoutofboundsexception: Index: 0,Size: 0
at java.util.ArrayList.rangeCheck(UnkNown Source)
at java.util.ArrayList.get(UnkNown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
at java.lang.Thread.run(UnkNown Source)
9328 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authentication Failed for user: User
9386 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: User
9447 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType - Unable to prepare authentication message: Index: 0,Size: 0
at java.util.ArrayList.rangeCheck(UnkNown Source)
at java.util.ArrayList.get(UnkNown Source)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrftokenValueIfrequired(PostBasedAuthenticationMethodType.java:420)
at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
at org.zaproxy.zap.users.User.authenticate(User.java:265)
at org.zaproxy.zap.users.User.processMessagetoMatchUser(User.java:175)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
at java.util.concurrent.ThreadPoolExecutor.runWorker(UnkNown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnkNown Source)
at java.lang.Thread.run(UnkNown Source)
9448 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication Failed for user: User
9463 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
9466 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
[ZAP Jenkins Plugin] AJAX SPIDER ENABLED [ FALSE ]
我有一种直觉,即由于SSL证书验证,身份验证失败。是否可以通过命令开关在ZAP中绕过它?或通过詹金斯(Jenkins)?
或者我也看到用户名和密码也生成了csrf令牌,这可能是一个问题吗? 如果是这样,如何在Jenkins ZAP作业中绕过CSRF令牌?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)