I came across an interesting problem. We needed to test a website with tools that we already had. And OWASP Zap was our standard test tool.
Problem: The site used NTLM authentication and OWASP ZAP wasn’t working at all with the automated attack.
Solution:
Chain proxies! Yup.. you can use BurpSuite to proxy and authenticate requests coming from OWASP ZAP!
How To:
1) Fire up Burp Suite (Free Edition)
2) (optional) Change the proxy port Burp Suite is listening on
- Click on Proxy
- Turn INTERCEPT off
- Click on Options
- Highlight proxy and hit edit<
- Change proxy port (I used 8081) and click OK
- click “Running” checkbox to start
3) Enable Authentication
- Click on Options
- Check “Do platform authentication”
- Check “Prompt for credentials on platform authentication failure”
4) Test using a browser
- Point to browser to Burp Suite Proxy
- Browse to protected site
- Switch BACK to Burp Suite
- Fill in Authentication Credentials, and hit ok
- Switch BACK to Browser, and you should be authenticated
NOTE: You can also test with curl by:
export http_proxy=”localhost:8081″
export https_proxy=$http_proxy
curl -v http://www.ntlm_protected_site.com
and it should work.
Now for OWASP ZAP:
1) Start it up
2) Go into TOOLS -> Options (CTRL + ALT + O)
3) Click Connection
- check “Use an outgoing proxy server”
- Fill in Address/Domain Name: localhost
- Fill in port: 8081
4) Press OK
And you should be good… you can do a quickstart scan, or use it as you normally would, and pick a site, and right click and “attack”
Hope this helps someone!
Thanks for the Post..It is very useful.
I tried all the steps you have mentioned, it exactly does what u have mentioned for Burpsuite. But i am getting Connection refused message in Owasp ZAP tool, when i click Attack button.
I didi exactly as you have written in your steps..
Is their any thing else which i should be doing?