NeuroSploit/use-cases/use-case-1/authenticated-testing-with-zap.md

Authenticated Vulnerability Testing with NeuroSploitv2 and OWASP ZAP

Table of Contents

1. Introduction
2. Overview of NeuroSploitv2
3. Understanding Authenticated Testing
4. OWASP ZAP Integration
5. Obtaining Session Cookies
6. Complete Setup Guide
7. Step-by-Step Workflow
8. Configuration Examples
9. Best Practices
10. Troubleshooting
11. Advanced Techniques

---

Introduction

This document provides a comprehensive guide on how to leverage NeuroSploitv2 for authenticated web application vulnerability testing using OWASP ZAP and session cookies. Authenticated testing is crucial for discovering vulnerabilities that only exist in protected areas of applications, such as:

• Insecure Direct Object References (IDOR)
• Broken Access Control
• Privilege Escalation
• Session Management Issues
• Authenticated API Vulnerabilities

---

Overview of NeuroSploitv2

What is NeuroSploitv2?

NeuroSploitv2 is an AI-powered penetration testing framework that:

• Orchestrates Security Tools: Uses AI agents to intelligently select and execute security tools
• Automates Workflows: Chains multiple tools together based on findings
• Generates Reports: Creates detailed HTML and JSON reports of vulnerabilities
• Supports Multiple LLMs: Works with Claude, GPT, Gemini, Ollama, and LM Studio
• Agent-Based Architecture: Specialized agents for different testing scenarios

Key Components

1. BaseAgent: Core agent class that orchestrates LLM interactions and tool execution
2. LLMManager: Manages multiple LLM providers and prompt templates
3. Tool Execution System: Safely executes external security tools
4. Reporting System: Generates comprehensive vulnerability reports

How AI Helps in Testing

The AI agent:

• Decides which tools to use based on the testing objective
• Interprets tool outputs and identifies vulnerabilities
• Adapts strategy based on findings
• Correlates multiple findings to identify complex vulnerabilities
• Generates actionable reports with remediation steps

---

Understanding Authenticated Testing

Why Authenticated Testing Matters

Most web applications have two security layers:

1. Unauthenticated Areas: Public-facing pages (homepage, login, public APIs)
2. Authenticated Areas: Protected areas requiring login (dashboards, user profiles, admin panels)

Critical vulnerabilities often exist only in authenticated areas:

• IDOR (Insecure Direct Object Reference): Accessing other users' data by manipulating IDs
• Broken Access Control: Accessing admin functions as regular user
• Privilege Escalation: Gaining higher privileges than intended
• Session Fixation: Manipulating session tokens
• CSRF in Authenticated Context: Cross-site request forgery in protected areas

What You Need for Authenticated Testing

1. Valid Credentials: Username and password (or API keys)
2. Session Cookie: Authentication token/session identifier
3. Target Endpoints: URLs of protected areas to test
4. Testing Tools: ZAP, SQLMap, or other authenticated scanners

---

OWASP ZAP Integration

Why OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is the perfect tool for authenticated testing because:

✅ 100% Free and Open Source
✅ Excellent CLI Support - Works seamlessly with NeuroSploitv2
✅ Strong Authentication Features - Supports multiple auth methods
✅ Comprehensive Scanning - Active and passive vulnerability scanning
✅ Session Management - Handles cookies and tokens automatically
✅ API Access - Full REST API for automation

ZAP Authentication Methods

ZAP supports several authentication methods:

1. Session Cookie Authentication (Our focus)

   • Uses existing session cookies
   • Simple and effective
   • Works with most web applications

2. Form-Based Authentication

   • Automatically logs in via forms
   • Handles CSRF tokens
   • Manages session lifecycle

3. HTTP Basic/Digest Authentication

   • For API endpoints
   • Header-based authentication

4. Script-Based Authentication

   • Custom authentication scripts
   • For complex authentication flows

---

Obtaining Session Cookies

Method 1: Browser Developer Tools (Easiest)

This is the most straightforward method for obtaining session cookies:

Step-by-Step Process:

1. Open Your Web Application

   Navigate to: https://your-webapp.com
   

2. Open Developer Tools

   • Chrome/Edge: Press F12 or Ctrl+Shift+I (Windows) / Cmd+Option+I (Mac)
   • Firefox: Press F12 or Ctrl+Shift+I (Windows) / Cmd+Option+I (Mac)
   • Safari: Enable Developer menu first, then Cmd+Option+I

3. Navigate to Application/Storage Tab

   • Chrome/Edge: Click "Application" tab → "Cookies" → Select your domain
   • Firefox: Click "Storage" tab → "Cookies" → Select your domain
   • Safari: Click "Storage" tab → "Cookies"

4. Log In to the Application

   • Enter your credentials
   • Complete the login process

5. Find the Session Cookie

   • Look for cookies with names like:
     • PHPSESSID (PHP applications)
     • JSESSIONID (Java applications)
     • sessionid (Django applications)
     • ASP.NET_SessionId (ASP.NET applications)
     • connect.sid (Express.js applications)
     • Custom session cookies (varies by application)

6. Copy the Cookie Value

   • Right-click on the cookie → Copy value
   • Or manually copy the "Value" column

Example Cookie Extraction:

Cookie Name: PHPSESSID
Cookie Value: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Domain: .your-webapp.com
Path: /

Full Cookie String for ZAP:

PHPSESSID=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Method 2: Browser Network Tab

1. Open Developer Tools → Network Tab
2. Log In to the application
3. Find the Login Request in the network log
4. Click on the Request → Headers Tab
5. Look for "Set-Cookie" in Response Headers
6. Copy the cookie value from the response

Method 3: Using curl/HTTPie

If you have login credentials, you can obtain cookies programmatically:

# Using curl
curl -c cookies.txt -X POST https://your-webapp.com/login \
  -d "username=testuser&password=testpass" \
  -H "Content-Type: application/x-www-form-urlencoded"

# View cookies
cat cookies.txt

# Extract session cookie
grep PHPSESSID cookies.txt

Method 4: Using Python requests

import requests

# Create session
session = requests.Session()

# Login
login_url = "https://your-webapp.com/login"
credentials = {
    "username": "testuser",
    "password": "testpass"
}

response = session.post(login_url, data=credentials)

# Extract session cookie
session_cookie = session.cookies.get('PHPSESSID')
print(f"Session Cookie: {session_cookie}")

# Or get all cookies as string
cookie_string = "; ".join([f"{name}={value}" for name, value in session.cookies.items()])
print(f"Cookie String: {cookie_string}")

Method 5: Browser Extensions

Use browser extensions to export cookies:

• Chrome: "EditThisCookie" or "Cookie-Editor"
• Firefox: "Cookie Quick Manager"

Method 6: Burp Suite / OWASP ZAP Proxy

1. Configure Browser Proxy to use ZAP (localhost:8080)
2. Browse and Log In through the proxy
3. View Requests in ZAP → Find login request
4. Extract Cookie from response headers

---

Complete Setup Guide

Prerequisites

1. Python 3.8+ installed
2. NeuroSploitv2 framework installed
3. OWASP ZAP installed
4. zap-cli (optional but recommended)

Step 1: Install OWASP ZAP

Option A: Download Standalone (Recommended)

# Download from official website
# https://www.zaproxy.org/download/

# Extract and note the installation path
# Example: /opt/zaproxy/ or ~/zaproxy/

Option B: Install via Package Manager

# Debian/Ubuntu
sudo apt-get update
sudo apt-get install zaproxy

# macOS (via Homebrew)
brew install --cask owasp-zap

# Verify installation
zap.sh --version

Step 2: Install zap-cli (Python Wrapper)

# Install zap-cli for easier command-line usage
pip install zapcli

# Verify installation
zap-cli --version

Step 3: Configure NeuroSploitv2

Edit config/config.json:

{
  "tools": {
    "nmap": "/usr/bin/nmap",
    "sqlmap": "/usr/bin/sqlmap",
    "subfinder": "/usr/local/bin/subfinder",
    "nuclei": "/usr/local/bin/nuclei",
    "zap": "/usr/bin/zap-cli",
    "zap_baseline": "/opt/zaproxy/zap-baseline.py"
  },
  "agent_roles": {
    "bug_bounty_hunter": {
      "enabled": true,
      "tools_allowed": [
        "subfinder",
        "nuclei",
        "zap",
        "sqlmap"
      ],
      "description": "Web application testing with authenticated ZAP scanning"
    },
    "owasp_expert": {
      "enabled": true,
      "tools_allowed": [
        "zap",
        "sqlmap"
      ],
      "description": "OWASP Top 10 assessment with authenticated ZAP"
    },
    "pentest_generalist": {
      "enabled": true,
      "tools_allowed": [
        "nmap",
        "subfinder",
        "nuclei",
        "zap",
        "sqlmap"
      ],
      "description": "Comprehensive testing with authenticated ZAP"
    }
  }
}

Note: Update the paths according to your installation:

• zap-cli is usually at /usr/local/bin/zap-cli or ~/.local/bin/zap-cli
• zap-baseline.py is in your ZAP installation directory

Step 4: Verify ZAP Installation

# Start ZAP daemon (required for zap-cli)
zap-cli start

# Test ZAP connection
zap-cli status

# Run a quick test scan
zap-cli quick-scan --start-options '-config api.disablekey=true' https://example.com

---

Step-by-Step Workflow

Workflow Overview

1. Obtain Session Cookie
   ↓
2. Start ZAP Daemon
   ↓
3. Configure NeuroSploitv2
   ↓
4. Run Authenticated Scan
   ↓
5. Analyze Results
   ↓
6. Generate Report

Detailed Steps

Step 1: Obtain Session Cookie

Use one of the methods described in Obtaining Session Cookies section.

Example Cookie:

PHPSESSID=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6; csrf_token=xyz789abc

Step 2: Start ZAP Daemon

# Start ZAP in daemon mode (runs in background)
zap-cli start

# Verify ZAP is running
zap-cli status

Expected Output:

ZAP is running

Step 3: Prepare Your Test Command

You'll provide the session cookie and target information to NeuroSploitv2.

Step 4: Run Authenticated Scan

Option A: Interactive Mode (Recommended)

# Start NeuroSploitv2 in interactive mode
python neurosploit.py -i

# Run authenticated scan
> run_agent bug_bounty_hunter "Perform authenticated vulnerability scan on https://myapp.com. Session cookie: PHPSESSID=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6. Test authenticated endpoints: /api/users, /admin/dashboard, /profile/settings. Focus on IDOR, privilege escalation, and broken access control vulnerabilities."

Option B: Command Line

python neurosploit.py \
  --agent-role bug_bounty_hunter \
  --input "Authenticated vulnerability scan on https://myapp.com. Session cookie: PHPSESSID=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6. Test endpoints: /api/*, /admin/*, /user/profile"

Step 5: AI Agent Orchestration

The AI agent will:

1. Parse your request and extract:

   • Target URL
   • Session cookie
   • Endpoints to test

2. Generate ZAP commands:

   [TOOL] zap: quick-scan --cookie "PHPSESSID=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" https://myapp.com
   

3. Execute the scan and capture output

4. Analyze results and identify vulnerabilities

5. Generate comprehensive report

Step 6: Review Results

# View JSON results
cat results/campaign_*.json

# View HTML report
open reports/report_*.html  # macOS
xdg-open reports/report_*.html  # Linux

---

Configuration Examples

Example 1: Basic Authenticated Scan

Scenario: Test a web application with a simple session cookie

Cookie: PHPSESSID=abc123xyz789

Command:

python neurosploit.py \
  --agent-role bug_bounty_hunter \
  --input "Authenticated scan on https://myapp.com with session cookie PHPSESSID=abc123xyz789"

What Happens:

• AI starts ZAP daemon (if not running)
• Configures ZAP with session cookie
• Runs spider scan to discover authenticated endpoints
• Performs active vulnerability scanning
• Analyzes results and generates report

Example 2: Multiple Cookies

Scenario: Application uses multiple cookies (session + CSRF token)

Cookies:

PHPSESSID=abc123xyz789; csrf_token=def456uvw012; user_pref=theme=dark

Command:

python neurosploit.py \
  --agent-role owasp_expert \
  --input "OWASP Top 10 scan on https://myapp.com. Cookies: PHPSESSID=abc123xyz789; csrf_token=def456uvw012. Test authenticated areas for injection, broken auth, and sensitive data exposure."

Example 3: Specific Endpoint Testing

Scenario: Test specific authenticated endpoints

Command:

python neurosploit.py -i

> run_agent bug_bounty_hunter "Test authenticated API endpoints on https://api.myapp.com. Session cookie: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. Test endpoints: /api/v1/users, /api/v1/admin/settings, /api/v1/profile. Look for IDOR, broken access control, and API authentication bypass."

Example 4: Complete Authenticated Assessment

Scenario: Comprehensive authenticated penetration test

Command:

python neurosploit.py \
  --agent-role pentest_generalist \
  --input "Comprehensive authenticated penetration test on https://myapp.com. Authentication: Session cookie PHPSESSID=abc123xyz789. Scope: All authenticated endpoints. Focus areas: 1) IDOR vulnerabilities in user profiles and API endpoints, 2) Privilege escalation in admin functions, 3) Broken access control in /admin/* paths, 4) Session management issues, 5) CSRF in authenticated forms. Use ZAP for automated scanning and provide detailed exploitation steps for each finding."

Example 5: Form-Based Authentication (Alternative)

If you prefer form-based authentication instead of cookies:

Command:

python neurosploit.py \
  --agent-role bug_bounty_hunter \
  --input "Authenticated scan on https://myapp.com using form authentication. Login URL: https://myapp.com/login, Username: testuser, Password: testpass123. Test authenticated endpoints for vulnerabilities."

Note: The AI will need to configure ZAP context for form-based auth, which requires additional setup.

---

Best Practices

1. Cookie Management

✅ Do:

• Use fresh session cookies (obtain right before testing)
• Include all relevant cookies (session, CSRF, etc.)
• Verify cookie validity before scanning
• Document cookie expiration time

❌ Don't:

• Use expired cookies
• Share cookies between different test sessions
• Use cookies from production in test environments

2. Scope Definition

✅ Clearly define:

• Target URLs and endpoints
• Authentication requirements
• Testing boundaries
• Sensitive areas to avoid

Example:

"Test https://myapp.com with cookie PHPSESSID=abc123. 
Scope: /api/*, /user/*, /dashboard/*. 
Exclude: /admin/delete, /admin/export (destructive operations)"

3. Session Validity

• Check cookie expiration: Some cookies expire quickly
• Refresh if needed: Re-authenticate if scan takes long
• Monitor session: Watch for session timeout during scanning

4. Rate Limiting

• Respect rate limits: Don't overwhelm the application
• Use delays: Configure ZAP to add delays between requests
• Monitor responses: Watch for 429 (Too Many Requests) errors

5. Security Considerations

⚠️ Important:

• Only test applications you own or have permission to test
• Use test/staging environments when possible
• Don't perform destructive testing without authorization
• Follow responsible disclosure for vulnerabilities

6. Tool Configuration

ZAP Configuration Tips:

# Start ZAP with custom options
zap-cli start --start-options '-config api.disablekey=true -config scanner.attackOnStart=true'

# Configure scan policy
zap-cli policy set-strength High
zap-cli policy set-threshold Medium

7. Report Analysis

• Review AI-generated findings carefully
• Verify false positives manually
• Prioritize vulnerabilities by severity
• Document exploitation steps for critical findings

---

Troubleshooting

Issue 1: ZAP Not Starting

Symptoms:

Error: Cannot connect to ZAP

Solutions:

# Check if ZAP is running
zap-cli status

# Start ZAP manually
zap-cli start

# Check ZAP port (default: 8080)
netstat -an | grep 8080

# Kill existing ZAP processes
pkill -f zap
zap-cli start

Issue 2: Invalid Session Cookie

Symptoms:

401 Unauthorized
403 Forbidden
Redirected to login page

Solutions:

• Re-obtain cookie: Get a fresh session cookie
• Check cookie format: Ensure proper format (name=value)
• Verify cookie validity: Test cookie in browser first
• Include all cookies: Some apps need multiple cookies

Issue 3: Cookie Expired During Scan

Symptoms:

Scan starts successfully but fails mid-way

Solutions:

• Use longer-lived sessions: Configure app for longer session timeout
• Refresh cookie: Re-authenticate and update cookie
• Use form-based auth: Let ZAP handle authentication automatically

Issue 4: ZAP Timeout

Symptoms:

[ERROR] Tool execution timeout after 60 seconds

Solutions:

• Increase timeout: Modify base_agent.py timeout (default: 60s)
• Use baseline scan: Faster than full active scan
• Scan smaller scope: Test fewer endpoints at once

Issue 5: AI Not Using ZAP

Symptoms:

AI doesn't generate [TOOL] zap commands

Solutions:

• Check tools_allowed: Ensure "zap" is in agent's tools_allowed list
• Be explicit: Mention "Use ZAP" in your input
• Check tool path: Verify ZAP path in config.json is correct

Issue 6: Cookie Not Working in ZAP

Symptoms:

ZAP scan runs but finds no authenticated endpoints

Solutions:

# Test cookie manually first
curl -H "Cookie: PHPSESSID=abc123" https://myapp.com/api/users

# Verify ZAP is using cookie
zap-cli context list
zap-cli context info <context-name>

# Check ZAP session
zap-cli session list

---

Advanced Techniques

Technique 1: Context-Based Authentication

Create a ZAP context for better authentication management:

# Create context file (auth_context.json)
cat > auth_context.json << EOF
{
  "context": {
    "name": "WebApp",
    "urls": ["https://myapp.com"],
    "authentication": {
      "method": "manual",
      "loggedInIndicator": "Logout"
    }
  }
}
EOF

# Import context
zap-cli context import auth_context.json

# Use context in scan
zap-cli quick-scan --context WebApp --cookie "PHPSESSID=abc123" https://myapp.com

Technique 2: Multi-Step Authentication

For complex authentication flows:

// Create auth script (auth_script.js)
var loginUrl = "https://myapp.com/login";
var step1Data = "username=testuser";
var step2Data = "password=testpass&otp=123456";

// Step 1: Submit username
var request1 = new org.parosproxy.paros.network.HttpMessage();
// ... configure request1 ...

// Step 2: Submit password + OTP
var request2 = new org.parosproxy.paros.network.HttpMessage();
// ... configure request2 ...

// Extract session cookie
var sessionCookie = response.getResponseHeader().getHeader("Set-Cookie");

Technique 3: Automated Cookie Refresh

Create a script to refresh cookies during long scans:

import requests
import time

def refresh_session_cookie(login_url, credentials):
    """Refresh session cookie"""
    session = requests.Session()
    response = session.post(login_url, data=credentials)
    return session.cookies.get('PHPSESSID')

# Use in long-running scans
while scan_running:
    cookie = refresh_session_cookie(login_url, credentials)
    # Update ZAP with new cookie
    time.sleep(3600)  # Refresh every hour

Technique 4: Custom ZAP Scripts

Create custom ZAP scripts for specific testing:

# Load custom script
zap-cli script load custom_auth.js

# Use in scan
zap-cli quick-scan --script custom_auth.js https://myapp.com

Technique 5: Integration with Other Tools

Combine ZAP with other tools for comprehensive testing:

# ZAP for authenticated scanning
zap-cli quick-scan --cookie "PHPSESSID=abc123" https://myapp.com

# SQLMap for authenticated SQL injection testing
sqlmap -u "https://myapp.com/api/users?id=1" --cookie="PHPSESSID=abc123" --batch

# Nuclei for authenticated template scanning
nuclei -u https://myapp.com -H "Cookie: PHPSESSID=abc123" -t ~/nuclei-templates/

---

Example: Complete Authenticated Test Scenario

Scenario: E-Commerce Application

Application: https://shop.example.com
Authentication: Session cookie
Test Scope: User dashboard, order history, profile settings

Step 1: Obtain Session Cookie

# Using browser:
# 1. Open https://shop.example.com
# 2. Login with test credentials
# 3. Open DevTools → Application → Cookies
# 4. Copy: session_id=abc123xyz789

Step 2: Configure NeuroSploitv2

{
  "agent_roles": {
    "bug_bounty_hunter": {
      "tools_allowed": ["zap", "sqlmap", "nuclei"]
    }
  }
}

Step 3: Run Authenticated Scan

python neurosploit.py -i

> run_agent bug_bounty_hunter "Perform authenticated vulnerability assessment on https://shop.example.com. Session cookie: session_id=abc123xyz789. Test endpoints: /dashboard, /orders, /profile, /api/user/*. Focus on: 1) IDOR in order history (accessing other users' orders), 2) Broken access control in profile settings, 3) SQL injection in search functionality, 4) XSS in user comments, 5) CSRF in order cancellation. Provide detailed exploitation steps for each vulnerability found."

Step 4: AI Agent Execution

The AI will:

1. Start ZAP daemon
2. Configure ZAP with session cookie
3. Spider authenticated areas
4. Perform active vulnerability scanning
5. Test for IDOR, broken access control, etc.
6. Generate comprehensive report

Step 5: Review Findings

# View report
open reports/report_*.html

# Expected findings might include:
# - IDOR: /api/orders/{id} allows accessing other users' orders
# - Broken Access Control: Regular users can access admin endpoints
# - SQL Injection: Search parameter vulnerable to SQLi
# - XSS: User comments reflect user input without sanitization

---

Summary

This guide has covered:

✅ NeuroSploitv2 Overview: Understanding the AI-powered framework
✅ Authenticated Testing: Why it's crucial for security testing
✅ OWASP ZAP Integration: How to use ZAP for authenticated scanning
✅ Session Cookie Extraction: Multiple methods to obtain cookies
✅ Complete Setup: Step-by-step installation and configuration
✅ Workflow: Detailed process for authenticated testing
✅ Best Practices: Security and testing guidelines
✅ Troubleshooting: Common issues and solutions
✅ Advanced Techniques: Power-user tips and tricks

Key Takeaways

1. Session cookies are essential for authenticated testing
2. ZAP is a powerful free alternative to Burp Suite Professional
3. NeuroSploitv2 AI orchestrates the entire testing process
4. Multiple cookie extraction methods are available
5. Proper configuration ensures successful scans

Next Steps

1. Install and configure ZAP
2. Update NeuroSploitv2 configuration
3. Obtain a session cookie from your test application
4. Run your first authenticated scan
5. Review and analyze the results

---

Additional Resources

• OWASP ZAP Documentation: https://www.zaproxy.org/docs/
• ZAP CLI Documentation: https://github.com/Grunny/zap-cli
• NeuroSploitv2 GitHub: [Repository URL]
• OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/

---

Appendix: Quick Reference

Common ZAP Commands

# Start ZAP
zap-cli start

# Status check
zap-cli status

# Quick scan with cookie
zap-cli quick-scan --cookie "PHPSESSID=abc123" https://example.com

# Active scan with cookie
zap-cli active-scan --cookie "PHPSESSID=abc123" https://example.com

# Spider with cookie
zap-cli spider --cookie "PHPSESSID=abc123" https://example.com

# Generate report
zap-cli report -o report.html -f html

# Stop ZAP
zap-cli shutdown

Cookie Format Examples

# Single cookie
PHPSESSID=abc123xyz789

# Multiple cookies
PHPSESSID=abc123xyz789; csrf_token=def456uvw012

# With path
session_id=abc123; Path=/; Domain=.example.com

NeuroSploitv2 Command Templates

# Basic authenticated scan
python neurosploit.py --agent-role bug_bounty_hunter \
  --input "Authenticated scan on {URL} with cookie {COOKIE}"

# OWASP Top 10 focused
python neurosploit.py --agent-role owasp_expert \
  --input "OWASP Top 10 scan on {URL} with cookie {COOKIE}"

# Comprehensive test
python neurosploit.py --agent-role pentest_generalist \
  --input "Full authenticated penetration test on {URL} with cookie {COOKIE}"

---

Document Version: 1.0
Last Updated: 2024
Author: NeuroSploitv2 Documentation Team