我在使用 API 对我创建的网站进行经过身份验证的扫描时遇到问题。此(测试(网站使用 HTTP 基本身份验证。启动扫描时,似乎找不到登录背后的网页。
您可以在下面找到我为使用 ZAP API 而创建的 Python 类(可能并不完美(。
from time import sleep
from pprint import pprint
import json
from pathlib import Path
from zapv2 import ZAPv2
from loginauthmethod import loginauthmethod
with open(Path('../Scripts/config.json'), 'r') as f:
config = json.load(f)
class owaspzap():
key = config['ZAProxy']['key']
zap = ZAPv2(apikey=key)
contextname = None
contextid = None
userid = None
authisset = False
target = None
loginurl = None
username = None
password = None
authmethod = loginauthmethod.NONE
authmethodname = None
authmethodconfigparams = None
contextregex = None
loggedinindicator = None
loggedoutindicator = None
credentials = None
scanid = None
realm = None
def initialize(self, contextname, target, contextregex):
self.contextname = contextname
self.zap = ZAPv2(apikey=self.key)
self.zap.core.new_session(apikey=self.key)
self.contextid = self.zap.context.new_context(contextname=self.contextname, apikey=self.key)
self.target = target
self.contextregex = contextregex
if(self.zap.core.alerts()):
self.zap.core.delete_all_alerts(apikey=self.key)
self.zap.context.include_in_context(self.contextname, self.contextregex, apikey=self.key)
self.zap.urlopen(self.target)
def authenticateFORM(self, loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod):
if(authmethod != loginauthmethod.NONE):
self.loginurl = loginurl
self.username = username
self.password = password
self.authmethod = authmethod
self.loggedinindicator = loggedinindicator
self.loggedoutindicator = loggedoutindicator
self.authmethodconfigparams = "loginUrl={0}&loginRequestData=username%3D%7B%25{1}%25%7D%26password%3D%7B%25{2}%25%7D".format(loginurl, username, password)
self.authmethodname = self.authmethod.value
self.zap.authentication.set_authentication_method(self.contextid, self.authmethodname, authmethodconfigparams=self.authmethodconfigparams, apikey=self.key)
self.zap.authentication.set_logged_in_indicator(self.contextid, self.loggedinindicator, apikey=self.key)
self.zap.authentication.set_logged_out_indicator(self.contextid, self.loggedoutindicator, apikey=self.key)
self.userid = self.zap.users.new_user(self.contextid, self.username, apikey=self.key)
self.credentials = "username={0}&password={1}".format(self.username, self.password)
self.zap.users.set_authentication_credentials(self.contextid, self.userid, self.credentials, apikey=self.key)
self.zap.users.set_user_enabled(self.contextid, self.userid, "true", apikey=self.key)
self.zap.forcedUser.set_forced_user_mode_enabled(True, apikey=self.key)
self.authisset = True
else:
print("Please specify authmethod.")
def authenticateBASIC(self, loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod, realm):
if(authmethod != loginauthmethod.NONE):
self.loginurl = loginurl
self.username = username
self.password = password
self.authmethod = authmethod
self.loggedinindicator = loggedinindicator
self.loggedoutindicator = loggedoutindicator
self.realm = realm
self.authmethodconfigparams = "hostname={0}&realm={1}&port=80".format(self.loginurl, self.realm)
self.authmethodname = self.authmethod.value
self.zap.authentication.set_authentication_method(self.contextid, self.authmethodname, authmethodconfigparams=self.authmethodconfigparams, apikey=self.key)
self.zap.authentication.set_authentication_method
self.zap.authentication.set_logged_in_indicator(self.contextid, self.loggedinindicator, apikey=self.key)
self.zap.authentication.set_logged_out_indicator(self.contextid, self.loggedoutindicator, apikey=self.key)
self.userid = self.zap.users.new_user(self.contextid, self.username, apikey=self.key)
self.credentials = "username={0}&password={1}".format(self.username, self.password)
self.zap.users.set_authentication_credentials(self.contextid, self.userid, self.credentials, apikey=self.key)
self.zap.users.set_user_enabled(self.contextid, self.userid, "true", apikey=self.key)
self.zap.forcedUser.set_forced_user_mode_enabled(True, apikey=self.key)
self.authisset = True
else:
print("Please specify authmethod.")
def spider(self, target):
if(self.authisset):
self.scanid = self.zap.spider.scan_as_user(self.contextid, self.userid, url=target)
else:
self.scanid = self.zap.spider.scan(url=target, contextname=self.contextname)
sleep(2)
while (int(self.zap.spider.status(self.scanid)) < 100):
sleep(2)
def passive_scan(self):
while (int(self.zap.pscan.records_to_scan) > 0):
sleep(2)
def active_scan(self, target):
self.scanid = self.zap.ascan.scan(target)
sleep(2)
while (int(self.zap.ascan.status(self.scanid)) < 100):
sleep(5)
def get_alerts(self):
return self.zap.core.alerts()
def get_spider(self):
return self.zap.spider.full_results(self.scanid)
def context_remove(self):
self.zap.context.remove_context(self.contextname, apikey=self.key)
def __str__(self):
return ("ContextName: " + str(self.contextname) +
", ContextId: " + str(self.contextid) +
", UserId: " + str(self.userid) +
", AuthIsSet: " + str(self.authisset) +
", Key: " + str(self.key) +
", Zap: " + str(self.zap) +
", Target: " + str(self.target) +
", LoginUrl: " + str(self.loginurl) +
", Username: " + str(self.username) +
", Password: " + str(self.password) +
", AuthMethod: " + str(self.authmethod.value) +
", AuthMethodConfigParams: " + str(self.authmethodconfigparams) +
", ContextRegex: " + str(self.contextregex) +
", LoggedInIndicator: " + str(self.loggedinindicator) +
", LoggedOutIndicator: " + str(self.loggedoutindicator) +
", Credentials: " + str(self.credentials) +
", ScanId: " + str(self.scanid)
)
下面是调用 OWASP ZAP 类的文件。
def webapp(target, loginurl, username, password, contextregex, authmethod, loggedinindicator, loggedoutindicator, realm):
retdata = {}
if not 'http' in target:
sys.exit()
whatweb.initiate(target)
links = dirb.initialize(target)
zap = owaspzap()
zap.initialize(str(datetime.now()), target, contextregex)
if(authmethod == loginauthmethod.FORM_BASED_AUTHENTICATION):
zap.authenticateFORM(loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod)
elif(authmethod == loginauthmethod.HTTP_AUTHENTICATION):
zap.authenticateBASIC(loginurl, username, password, loggedinindicator, loggedoutindicator, authmethod, realm)
zap.spider(target)
zap.passive_scan()
zap.active_scan(target)
retdata["spider"] = zap.get_spider()
retdata["alerts"] = zap.get_alerts()
zap.context_remove()
return retdata
用于调用 Web 应用的参数包括:
target = http://xxx.xxx.xxx.xxx/
loginurl = http://xxx.xxx.xxx.xxx/login.php
username = 1234
password = qwer
contextregex = Qhttp://xxx.xxx.xxx.xxx/E.*
authmethod = loginauthmethod.HTTP_AUTHENTICATION
loggedinindicator = .*This page is hidden.*
loggedoutindicator = .*Login failed.*
realm = test
我也有来自测试网站的PHP文件。
登录.php
<?php
$LoginSuccessful = false;
session_unset();
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
$Username = $_SERVER['PHP_AUTH_USER'];
$Password = $_SERVER['PHP_AUTH_PW'];
if ($Username == '1234' && $Password == 'qwer'){
$LoginSuccessful = true;
}
}
if (!$LoginSuccessful){
header('WWW-Authenticate: Basic realm="test"');
header('HTTP/1.0 401 Unauthorized');
print "Login failed!n username=1234 and password=qwer";
die;
}
else {
print 'you reached the secret page!';
}
?>
<form action="hiddenpage.php" method="post">
<input type = "password" class = "form-control"
name = "password" placeholder = "password = hiddenpage" >
<button class = "btn" type = "submit" name = "login">submit</button>
</form>
注销.php
<!doctype html>
<html lang="nl" dir="ltr" class="watermark">
<head>
<link rel="stylesheet" href="back.css" />
</head>
<body >
asrgsregtsergsergserg
</body>
</html>
索引.php
<form action="login.php">
<button class = "btn" type = "submit" name = "login">Login</button>
</form>
隐藏页面.php
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('Location: http://192.168.2.131/login.php');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
echo shell_exec($_POST["mesje"]);
?>
This page is hidden!!!
<form action="hiddenpage.php" method="post">
<input type = "text" class = "form-control"
name = "mesje" placeholder = "password = hiddenpage" >
<button class = "btn" type = "submit" name = "login">submit</button>
</form>
这里也是 ZAP 的输出。
67588 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - Discard Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - New Session
67617 [ZAP-ProxyThread-1] INFO org.parosproxy.paros.control.Control - Create and Open Untitled Db
67677 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache commit start
67695 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache commit end
67752 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - Database closed
67899 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - open start - state not modified
68116 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache open start
68140 [ZAP-ProxyThread-1] INFO hsqldb.db..ENGINE - dataFileCache open end
68936 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: 2019-06-12 12:06:50.023958 at Wed Jun 12 12:06:51 CEST 2019
68944 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
68981 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
68982 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: 1234
68994 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: 1234
69085 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: 1234
69122 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
69123 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
75090 [ZAP-ProxyThread-18] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
75110 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 2 node(s) from http://192.168.2.131
75111 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPathTraversal strength MEDIUM threshold MEDIUM
75406 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPathTraversal in 0.296s with 33 message(s) sent and 0 alert(s) raised.
75407 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
75529 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestRemoteFileInclude in 0.122s with 20 message(s) sent and 0 alert(s) raised.
75530 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestServerSideInclude strength MEDIUM threshold MEDIUM
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestServerSideInclude in 0.048s with 8 message(s) sent and 0 alert(s) raised.
75578 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestCrossSiteScriptV2 strength MEDIUM threshold MEDIUM
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestCrossSiteScriptV2 in 0.048s with 6 message(s) sent and 0 alert(s) raised.
75626 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSPrime strength MEDIUM threshold MEDIUM
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSPrime in 0.03s with 2 message(s) sent and 0 alert(s) raised.
75656 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSSpider strength MEDIUM threshold MEDIUM
75666 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSSpider in 0.01s with 2 message(s) sent and 0 alert(s) raised.
75667 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestPersistentXSSAttack strength MEDIUM threshold MEDIUM
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestPersistentXSSAttack in 0.005s with 0 message(s) sent and 0 alert(s) raised.
75672 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestSQLInjection strength MEDIUM threshold MEDIUM
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestSQLInjection in 0.371s with 52 message(s) sent and 0 alert(s) raised.
76043 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | CodeInjectionPlugin strength MEDIUM threshold MEDIUM
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | CodeInjectionPlugin in 0.139s with 16 message(s) sent and 0 alert(s) raised.
76182 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | CommandInjectionPlugin strength MEDIUM threshold MEDIUM
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | CommandInjectionPlugin in 0.317s with 64 message(s) sent and 0 alert(s) raised.
76499 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestDirectoryBrowsing strength MEDIUM threshold MEDIUM
76513 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestDirectoryBrowsing in 0.014s with 2 message(s) sent and 0 alert(s) raised.
76514 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestExternalRedirect strength MEDIUM threshold MEDIUM
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestExternalRedirect in 0.104s with 18 message(s) sent and 0 alert(s) raised.
76618 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | BufferOverflow strength MEDIUM threshold MEDIUM
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | BufferOverflow in 0.024s with 2 message(s) sent and 0 alert(s) raised.
76643 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | FormatString strength MEDIUM threshold MEDIUM
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | FormatString in 0.037s with 6 message(s) sent and 0 alert(s) raised.
76681 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestInjectionCRLF strength MEDIUM threshold MEDIUM
76761 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestInjectionCRLF in 0.08s with 14 message(s) sent and 0 alert(s) raised.
76762 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | TestParameterTamper strength MEDIUM threshold MEDIUM
76826 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.2.131 | TestParameterTamper in 0.065s with 8 message(s) sent and 0 alert(s) raised.
76827 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.2.131 | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
76828 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled] http://192.168.2.131 | ScriptsActiveScanner in 0.001s with 0 message(s) sent and 0 alert(s) raised.
76829 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host http://192.168.2.131 in 1.724s
76829 [Thread-9] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 1.739s
以及我的程序的输出
{
"spider": [{
"urlsInScope": [{
"processed": "true",
"statusReason": "OK",
"method": "GET",
"reasonNotProcessed": "",
"messageId": "4",
"url": "http://192.168.2.131/",
"statusCode": "200"
},
{
"processed": "true",
"statusReason": "Unauthorized",
"method": "GET",
"reasonNotProcessed": "",
"messageId": "6",
"url": "http://192.168.2.131/login.php",
"statusCode": "401"
}]
},
{
"urlsOutOfScope": []
},
{
"urlsIoError": []
}],
"alerts": [{
"sourceid": "3",
"other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: nX-XSS-Protection: 1; mode=blocknX-XSS-Protection: 1; report=http://www.example.com/xssnThe following values would disable it:nX-XSS-Protection: 0nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
Chrome and Safari (WebKit).nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
with a non-zero length).",
"method": "GET",
"evidence": "",
"pluginId": "10016",
"cweid": "933",
"confidence": "Medium",
"wascid": "14",
"description": "Web Browser XSS Protection is not enabled,
or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheetnhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
"solution": "Ensure that the web browser's XSS filter is enabled,
by setting the X-XSS-Protection HTTP response header to '1'.",
"alert": "Web Browser XSS Protection Not Enabled",
"param": "X-XSS-Protection",
"attack": "",
"name": "Web Browser XSS Protection Not Enabled",
"risk": "Low",
"id": "0"
},
{
"sourceid": "3",
"other": "This issue still applies to error type pages (401,
403,
500,
etc) as those pages are often still affected by injection issues,
in which case there is still concern for browsers sniffing pages away from their actual content type.nAt "High" threshold this scanner will not alert on client or server error responses.",
"method": "GET",
"evidence": "",
"pluginId": "10021",
"cweid": "16",
"confidence": "Medium",
"wascid": "15",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body,
potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set),
rather than performing MIME-sniffing.",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspxnhttps://www.owasp.org/index.php/List_of_useful_HTTP_headers",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately,
and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.nIf possible,
ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all,
or that can be directed by the web application/web server to not perform MIME-sniffing.",
"alert": "X-Content-Type-Options Header Missing",
"param": "X-Content-Type-Options",
"attack": "",
"name": "X-Content-Type-Options Header Missing",
"risk": "Low",
"id": "1"
},
{
"sourceid": "3",
"other": "",
"method": "GET",
"evidence": "",
"pluginId": "10020",
"cweid": "16",
"confidence": "Medium",
"wascid": "15",
"description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.",
"messageId": "1",
"url": "http://192.168.2.131/",
"reference": "http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx",
"solution": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN,
otherwise if you never expect the page to be framed,
you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
"alert": "X-Frame-Options Header Not Set",
"param": "X-Frame-Options",
"attack": "",
"name": "X-Frame-Options Header Not Set",
"risk": "Medium",
"id": "2"
},
{
"sourceid": "3",
"other": "The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: nX-XSS-Protection: 1; mode=blocknX-XSS-Protection: 1; report=http://www.example.com/xssnThe following values would disable it:nX-XSS-Protection: 0nThe X-XSS-Protection HTTP response header is currently supported on Internet Explorer,
Chrome and Safari (WebKit).nNote that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type,
with a non-zero length).",
"method": "GET",
"evidence": "",
"pluginId": "10016",
"cweid": "933",
"confidence": "Medium",
"wascid": "14",
"description": "Web Browser XSS Protection is not enabled,
or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server",
"messageId": "6",
"url": "http://192.168.2.131/login.php",
"reference": "https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheetnhttps://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/",
"solution": "Ensure that the web browser's XSS filter is enabled,
by setting the X-XSS-Protection HTTP response header to '1'.",
"alert": "Web Browser XSS Protection Not Enabled",
"param": "X-XSS-Protection",
"attack": "",
"name": "Web Browser XSS Protection Not Enabled",
"risk": "Low",
"id": "6"
}]
}
我总是建议首先尝试使用 ZAP 桌面 UI 进行身份验证 - 它更容易看到发生了什么。一旦你完成了这项工作,你就可以在 ZAP API 中使用相同的脚本。如果您无法使其与 ZAP 桌面配合使用,那么恐怕您对 API 没有希望。
有关基于表单的身份验证的帮助,请参阅此常见问题解答,尤其是诊断问题部分:https://github.com/zaproxy/zaproxy/wiki/FAQformauth