I have noticed that DAST AUTH is not waiting for the whole page to finish loading. This is seen on the dast-auth-report as the page screenshot is shown with a spinner instead of the actual login form.
My angular code does a bunch of things after the first call is completed which can be seen on the network tab, like downloading css, js, font, index.html. Once all these are loaded, only then the spinner stops and form is loaded.
How do I get DAST AUTH to wait for the whole page to load with all the child calls to complete before looking for elements in the DOM.
dast:
variables:
DAST_WEBSITE: "https://example.com"
DAST_BROWSER_SCAN: "true"
DAST_AUTH_URL: "example.com/signin/login"
DAST_USERNAME_FIELD: "id:[id=username]"
DAST_PASSWORD_FIELD: "id:[id=password]"
DAST_SUBMIT_FIELD: "id:button[id=signinbutton]"
DAST_AUTH_REPORT: "true"
DAST_BROWSER_ACTION_STABILITY_TIMEOUT: 20s
DAST_BROWSER_DOM_READY_AFTER_TIMEOUT: 20s
Further details from DEBUG logs.
zap_server is invoking all the child URLs through a series of findAndAddChild Sites calls. Where I feel things going wrong is, there are approximately 20 odd calls that need to happen before the login form is successfully loaded. But it looks like the job is only waiting for an arbitrary 5secs before trying to get the HTML elements from the form. As I can see that the findAndAddChild calls are still going on the DEBUG logs even after the login attempt failed error. Which explains why I am seeing the spinner on auth debug report because the page hasnt really finished running.
Log snippet:
[zap_server] 14702 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites / https://example.com
[zap_server] 14703 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild https://example.com / GET:backgroundImage..jpg
[zap_server] 14714 [ZAP-IO-EventExecutor-3-2] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites / https://example.com
[zap_server] 14715 [ZAP-IO-EventExecutor-3-2] DEBUG org.parosproxy.paros.model.SiteMap - findChild https://example.com / assets
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - addPath https://example.com/backgroundImage..jpg
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findAndA
2024-02-15T09:16:42.628 INF AUTH login attempt failed error="authentication failed: unable to find elements with selector: css:[name=username]"
2024-02-15T09:16:42.628 INF AUTH writing authentication report path="/zap/wrk/gl-dast-debug-auth-report.html"
2024-02-15T09:16:42.858 INF AUTH skipping writing of JSON cookie report as there are no cookies to write
2024-02-15T09:16:42.923 FTL MAIN failed to initialize authentication runner: authentication failed: unable to find elements with selector: css:[name=username]
2024-02-15 09:16:42,931 Browserker completed with exit code 1
2024-02-15 09:16:42,931 BrowserkerError: Failure while running Browserker 1.Exiting scan
ddChild Sites / https://example.com
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites / https://example.com
[zap_server] 14725 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findAndAddLeaf https://example.com / backgroundImage.jpg
[zap_server] 14726 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findChild https://example.com / GET:backgroundImage.jpg
[zap_server] 14740 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites / https://example.com
[zap_server] 14741 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild https://example.com / GET:Font-Bold.woff
Running after_script