我需要有关NTLM身份验证配置的帮助 .

我目前正在使用OWASP ZAP测试AJAX Web应用程序 . 可以通过HTTPS访问应用程序并启用NTLM身份验证 . 当我运行扫描时,ZAP没有保持正确的NTLM协商顺序 . The expected way of NTLM connection is:

  • 客户端发送GET以接收网站

  • 服务器发送WWW-Authenticate:Negotiate和WWW-Authenticate:NTLM with 401 code

  • 客户端使用授权发送身份验证信息:协商

  • 服务器使用WWW-Authenticate进行响应:协商并响应请求的页面和代码200 .

这种情况发生在扫描期间,但只有前两个步骤 - 在收到协商/ NTLM挑战后,ZAP才开始下一次测试 . Every few tests though, ZAP tries to perform the test by skipping step 3:

  • ZAP发送授权:与使用base64编码的NTLM进行协商,

  • 服务器发送WWW-Authenticate:Negotiate和WWW-Authenticate:NTLM with 401 code

之后,ZAP只是跳过测试并在zap.log中保存一个条目:

“2018-07-16 18:07:57,969 [ZAP-ActiveScanner-1] ERROR HttpMethodDirector - 失序的NTLM响应消息org.apache.commons.httpclient.auth.MalformedChallengeException:乱序化的NTLM响应消息” .

你知道这里有什么问题吗?下面我发送给你的配置,我的日志选项是什么以及我收到了什么错误 .

Steps to reproduce the behavior:

  • 使用为ZAP配置的代理打开Web浏览器,然后单击https://example.com:9443/service上的整个Web应用程序(这是一个AJAX服务) . 我没有使用AJAX蜘蛛,因为它经常无法在数据验证输入上提供有效输入 .

  • 会话属性:使用https://example.com:9443/service创建新上下文 . *

  • 会话属性:身份验证:HTTP / NTLM身份验证

主机名:https://example.com

港口:8443

领域:留空(尝试使用 .local)

登录响应中标识的正则表达式模式:

  • 会话属性:用户:从域中添加有效用户(同时尝试""和"")

4.强制用户:在步骤3中设置的用户名

  • 会话管理:HTTP身份验证会话管理

  • 授权:HTTP状态代码:401

正文包含正则表达式:'访问受限'(放置在webapp的401页面上的字符串) . 上述条件中至少有一个必须匹配 .

After configuration run the scan:

起点:https://example.com:9443/service

政策:默认

上下文:上面配置的那个(步骤1)

用户:上面配置的那个(步骤3)

  • 开始扫描 .

Logs I encounter - there is also one error with parsing the request body:

2018-07-16 18:07:57,414 [Thread-607] INFO HostProcess - Scanning 90 node(s) from https://example.com:9443/service as {user}
2018-07-16 18:07:57,418 [Thread-607] INFO HostProcess - start host https://example.com:9443/service | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
2018-07-16 18:07:57,442 [Thread-607] ERROR HttpMethodDirector - Out of sequence NTLM response message
org.apache.commons.httpclient.auth.MalformedChallengeException: Out of sequence NTLM response message
at org.zaproxy.zap.network.ZapNTLMScheme.processChallenge(ZapNTLMScheme.java:131)
at org.apache.commons.httpclient.auth.AuthChallengeProcessor.processChallenge(AuthChallengeProcessor.java:162)
at org.apache.commons.httpclient.HttpMethodDirector.processWWWAuthChallenge(HttpMethodDirector.java:773)
at org.apache.commons.httpclient.HttpMethodDirector.processAuthenticationResponse(HttpMethodDirector.java:747)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:221)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:333)
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:562)
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:523)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:501)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:490)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:405)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:362)
at org.parosproxy.paros.core.scanner.HostProcess.obtainResponse(HostProcess.java:507)
at org.parosproxy.paros.core.scanner.HostProcess.scanMessage(HostProcess.java:460)
at org.parosproxy.paros.core.scanner.HostProcess.processPlugin(HostProcess.java:371)
at org.parosproxy.paros.core.scanner.HostProcess.run(HostProcess.java:302)
at java.lang.Thread.run(Unknown Source)
2018-07-16 18:50:03,583 [ZAP-ActiveScanner-0] WARN VariantJSONQuery - Failed to parse the request body: Input is invalid JSON; does not start with '{' or '[', c=-1
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=-1
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:117)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:61)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:167)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:51)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:161)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:380)
at java.lang.Thread.run(Unknown Source)

Logging settings:

log4j.logger.org.parosproxy.paros=DEBUG
log4j.logger.org.zaproxy.zap=DEBUG
log4j.logger.org.apache.commons.httpclient=DEBUG
log4j.logger.httpclient.wire.header=DEBUG
log4j.logger.net.htmlparser.jericho=ERROR

Installation configuration:

ZAP: 2.7.0
Add-on: Set of default Add-ons. 
OS: Windows 10 17134
Java: Java(TM) SE Runtime Environment (build 1.8.0_171-b11)
Browser: clicking through the application was done with Chrome, version 67.0.3396.99
security ntlm owasp zap penetration-tools