You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>Authentication is a bit different for the API.</p>
352
+
<p>You need to make a <code>POST</code> request to the <code>/api/login</code> with the credentials in JSON format: <code>{"username":"jsmith","password":"demo1234"}</code>. Which responds with a an Authorization token which then needs to be sent via the <code>Authorization</code> header on requests to other parts of the API. Session/token validity can be verified by making a <code>GET</code> request to <code>/api/login</code> then checking the response code (200 OK vs 401 Unauthorized).</p>
<p>If you have the <ahref="/docs/desktop/addons/scan-policies/">Scan Policies add-on</a> installed, this is a good opportunity to leverage the <ahref="/docs/desktop/addons/scan-policies/policy-api/">API Policy</a>.</p>
Copy file name to clipboardExpand all lines: search/index.json
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -4997,7 +4997,7 @@
4997
4997
"keywords": ["","/","altoroj","testfire.net"],
4998
4998
"tags": null,
4999
4999
"summary": "\u003ch3 id=\"overview\"\u003eOverview \u003ca class=\"header-link\" href=\"#overview\"\u003e\u003csvg class=\"fill-current o-60 hover-accent-color-light\" height=\"22px\" viewBox=\"0 0 24 24\" width=\"22px\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\u003cpath d=\"M0 0h24v24H0z\" fill=\"none\"/\u003e\u003cpath d=\"M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z\" fill=\"currentColor\"/\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003eAltoroJ, also known as Altoro Mutual and Testfire, is an open source sample banking J2EE web application\nmaintained by \u003ca href=\"https://www.hcl-software.com/\"\u003eHCL Software\u003c/a\u003e.\u003c/p\u003e",
5000
-
"content": "overview altoroj also known altoro mutual testfire open source sample banking j2ee web application maintained by hcl software traditional app created 2008 not updated very often online: https:demotestfirenet repo: https:githubcomhcltechsoftwarealtoroj quick start new zap just want quickly run against these commands: download recommended plan using curl use any other suitable tool https:rawgithubusercontentcomzaproxycommunityscriptsrefsheadsmainotherafplansfullscantestfireauthyaml stable docker image mapping cwd that can access file system export report pwd:zapwrk:rw zaproxyzapstable zapsh cmd autorun wrkfullscantestfireauthyaml command windows see relevant documentation you will need have installed do then course install locally create html your containing full details all issues found further resultsresults below potential pitfalls online which may unavailable broken point running local version give more consistent results authentication users username password: admin jsmith demo1234 browser based successfully authenticate identify session handling verification client script zest available here: testfirezst environment env: contexts: name: urls: http:demotestfirenet includepaths: authentication: method: parameters: loginpageurl: https:demotestfirenetloginjsp loginpagewait: browserid: firefox verification: poll loggedinregex: 200 oke loggedoutregex: 302 founde pollfrequency: 60 pollunits: seconds pollurl: https:demotestfirenetbankmainjsp pollpostdata: 3434 sessionmanagement: headers users: credentials: username: note there exclude paths added definition logout avoidance used spider job example dologin left included impacted sqli vulnerability crawling spiders crawl we recommend following configuration: type: context: user: url: logoutavoidance: true ajax link: spiderajax firefoxheadless excludedelements: description: element: text: sign off scanning believe definitive list vulnerabilities altoroj: https:helphclsoftwarecomappscanasocjapdfsampledastreportpdf too surprisingly configure activescan probably generate vuln disposition cross site scripting reflected http:testfirenetbankcustomizejsp positive http:testfirenetbankqueryxpathjsp http:testfirenetsearchjsp http:testfirenetsendfeedback sql injection http:testfirenetbankccapply https:testfirenetdologin https:demotestfirenetbankshowtransactions false negative external redirect pii disclosure https:testfirenetbankmainjsp content security policy csp header set absence anticsrf tokens missing anticlickjacking relative path confusion secure pages include mixed including scripts sub resource integrity attribute insecure http method code "
5000
+
"content": "overview altoroj also known altoro mutual testfire open source sample banking j2ee web application maintained by hcl software traditional app created 2008 not updated very often online: https:demotestfirenet repo: https:githubcomhcltechsoftwarealtoroj quick start new zap just want quickly run against these commands: download recommended plan using curl use any other suitable tool https:rawgithubusercontentcomzaproxycommunityscriptsrefsheadsmainotherafplansfullscantestfireauthyaml stable docker image mapping cwd that can access file system export report pwd:zapwrk:rw zaproxyzapstable zapsh cmd autorun wrkfullscantestfireauthyaml command windows see relevant documentation you will need have installed do then course install locally create html your containing full details all issues found further resultsresults below potential pitfalls online which may unavailable broken point running local version give more consistent results authentication users username password: admin jsmith demo1234 browser based successfully authenticate identify session handling verification client script zest available here: testfirezst environment env: contexts: name: urls: http:demotestfirenet includepaths: authentication: method: parameters: loginpageurl: https:demotestfirenetloginjsp loginpagewait: browserid: firefox verification: poll loggedinregex: 200 oke loggedoutregex: 302 founde pollfrequency: 60 pollunits: seconds pollurl: https:demotestfirenetbankmainjsp pollpostdata: 3434 sessionmanagement: headers users: credentials: username: note there exclude paths added definition logout avoidance used spider job example dologin left included impacted sqli vulnerability crawling spiders crawl we recommend following configuration: type: context: user: url: logoutavoidance: true ajax link: spiderajax firefoxheadless excludedelements: description: element: text: sign off scanning believe definitive list vulnerabilities altoroj: https:helphclsoftwarecomappscanasocjapdfsampledastreportpdf too surprisingly configure activescan probably generate vuln disposition cross site scripting reflected http:testfirenetbankcustomizejsp positive http:testfirenetbankqueryxpathjsp http:testfirenetsearchjsp http:testfirenetsendfeedback sql injection http:testfirenetbankccapply https:testfirenetdologin https:demotestfirenetbankshowtransactions false negative external redirect pii disclosure https:testfirenetbankmainjsp content security policy csp header set absence anticsrf tokens missing anticlickjacking relative path confusion secure pages include mixed including scripts sub resource integrity attribute insecure http method code api bit different make post request apilogin credentials json format: username:jsmithpassword:demo1234 responds authorization token needs sent via requests parts sessiontoken validity verified making get checking response ok vs 401 unauthorized testfireapi excludepaths: https:demotestfirenetapilogout loginrequestbody: 3434username34:34username3434password34:34password34 34 loginrequesturl: https:demotestfirenetapilogin authorization: 34json:authorization34 technology: structure: openapi import explore prior active traffic passively scanned during apiurl: https:demotestfirenetswaggerpropertiesjson scan fit policies addon good opportunity leverage "
0 commit comments