我需要有关NTLM身份验证配置的帮助 .
我目前正在使用OWASP ZAP测试AJAX Web应用程序 . 可以通过HTTPS访问应用程序并启用NTLM身份验证 . 当我运行扫描时,ZAP没有保持正确的NTLM协商顺序 . The expected way of NTLM connection is:
-
客户端发送GET以接收网站
-
服务器发送WWW-Authenticate:Negotiate和WWW-Authenticate:NTLM with 401 code
-
客户端使用授权发送身份验证信息:协商
-
服务器使用WWW-Authenticate进行响应:协商并响应请求的页面和代码200 .
这种情况发生在扫描期间,但只有前两个步骤 - 在收到协商/ NTLM挑战后,ZAP才开始下一次测试 . Every few tests though, ZAP tries to perform the test by skipping step 3:
-
ZAP发送授权:与使用base64编码的NTLM进行协商,
-
服务器发送WWW-Authenticate:Negotiate和WWW-Authenticate:NTLM with 401 code
之后,ZAP只是跳过测试并在zap.log中保存一个条目:
“2018-07-16 18:07:57,969 [ZAP-ActiveScanner-1] ERROR HttpMethodDirector - 失序的NTLM响应消息org.apache.commons.httpclient.auth.MalformedChallengeException:乱序化的NTLM响应消息” .
你知道这里有什么问题吗?下面我发送给你的配置,我的日志选项是什么以及我收到了什么错误 .
Steps to reproduce the behavior:
-
使用为ZAP配置的代理打开Web浏览器,然后单击https://example.com:9443/service上的整个Web应用程序(这是一个AJAX服务) . 我没有使用AJAX蜘蛛,因为它经常无法在数据验证输入上提供有效输入 .
-
会话属性:使用https://example.com:9443/service创建新上下文 . *
-
会话属性:身份验证:HTTP / NTLM身份验证
港口:8443
领域:留空(尝试使用和 .local)
登录响应中标识的正则表达式模式:
- 会话属性:用户:从域中添加有效用户(同时尝试""和"")
4.强制用户:在步骤3中设置的用户名
-
会话管理:HTTP身份验证会话管理
-
授权:HTTP状态代码:401
正文包含正则表达式:'访问受限'(放置在webapp的401页面上的字符串) . 上述条件中至少有一个必须匹配 .
After configuration run the scan:
-
在站点树上,右键单击https://example.com:9443/service - >攻击 - >主动扫描
-
在“Active Scan Scope”选项卡中:
起点:https://example.com:9443/service
政策:默认
上下文:上面配置的那个(步骤1)
用户:上面配置的那个(步骤3)
- 开始扫描 .
Logs I encounter - there is also one error with parsing the request body:
2018-07-16 18:07:57,414 [Thread-607] INFO HostProcess - Scanning 90 node(s) from https://example.com:9443/service as {user}
2018-07-16 18:07:57,418 [Thread-607] INFO HostProcess - start host https://example.com:9443/service | TestRemoteFileInclude strength MEDIUM threshold MEDIUM
2018-07-16 18:07:57,442 [Thread-607] ERROR HttpMethodDirector - Out of sequence NTLM response message
org.apache.commons.httpclient.auth.MalformedChallengeException: Out of sequence NTLM response message
at org.zaproxy.zap.network.ZapNTLMScheme.processChallenge(ZapNTLMScheme.java:131)
at org.apache.commons.httpclient.auth.AuthChallengeProcessor.processChallenge(AuthChallengeProcessor.java:162)
at org.apache.commons.httpclient.HttpMethodDirector.processWWWAuthChallenge(HttpMethodDirector.java:773)
at org.apache.commons.httpclient.HttpMethodDirector.processAuthenticationResponse(HttpMethodDirector.java:747)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:221)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:333)
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:562)
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:523)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:501)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:490)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:405)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:362)
at org.parosproxy.paros.core.scanner.HostProcess.obtainResponse(HostProcess.java:507)
at org.parosproxy.paros.core.scanner.HostProcess.scanMessage(HostProcess.java:460)
at org.parosproxy.paros.core.scanner.HostProcess.processPlugin(HostProcess.java:371)
at org.parosproxy.paros.core.scanner.HostProcess.run(HostProcess.java:302)
at java.lang.Thread.run(Unknown Source)
2018-07-16 18:50:03,583 [ZAP-ActiveScanner-0] WARN VariantJSONQuery - Failed to parse the request body: Input is invalid JSON; does not start with '{' or '[', c=-1
java.lang.IllegalArgumentException: Input is invalid JSON; does not start with '{' or '[', c=-1
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseObject(VariantJSONQuery.java:117)
at org.parosproxy.paros.core.scanner.VariantJSONQuery.parseContent(VariantJSONQuery.java:61)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setRequestContent(VariantAbstractRPCQuery.java:167)
at org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery.setMessage(VariantAbstractRPCQuery.java:51)
at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(AbstractAppParamPlugin.java:161)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:380)
at java.lang.Thread.run(Unknown Source)
Logging settings:
log4j.logger.org.parosproxy.paros=DEBUG
log4j.logger.org.zaproxy.zap=DEBUG
log4j.logger.org.apache.commons.httpclient=DEBUG
log4j.logger.httpclient.wire.header=DEBUG
log4j.logger.net.htmlparser.jericho=ERROR
Installation configuration:
ZAP: 2.7.0
Add-on: Set of default Add-ons.
OS: Windows 10 17134
Java: Java(TM) SE Runtime Environment (build 1.8.0_171-b11)
Browser: clicking through the application was done with Chrome, version 67.0.3396.99