zaproxy: AuthScheme is null while proxying NTLM authentication requests

Describe the bug

Hi, I just upgraded ZAP to v2.12 and started to get this error whenever I log in to my application with Zap proxy enabled.

My application is using NTLM authentication and HTTP-based authentication session Management, right after I enter my valid credentials I get the following error.

image

Steps to reproduce the behavior

Enable ZAP proxy and Windows proxy configuration. Go to the application URL Enter application credentials The error shows up on the browser response and log file.

Expected behavior

I should be able to login to my application with ZAP proxy enabled

Software versions

OWASP ZAP 2.12.0

Screenshots

No response

Errors from the zap.log file

2023-01-11 05:30:29,712 [ZAP-IO-Server-1-4] WARN  HttpSenderApache - An error occurred while sending the request:
java.lang.IllegalStateException: AuthScheme is null
	at org.apache.hc.core5.util.Asserts.notNull(Asserts.java:56) ~[?:?]
	at org.apache.hc.client5.http.impl.auth.HttpAuthenticator.updateAuthState(HttpAuthenticator.java:216) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.needAuthentication(ZapProtocolExec.java:276) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:188) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:158) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481) ~[?:?]
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362) ~[?:?]
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:363) ~[?:?]
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:331) ~[?:?]
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:287) ~[?:?]
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:258) ~[?:?]
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:63) ~[?:?]
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:303) ~[zap-2.12.0.jar:2.12.0]
	at org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler.handleMessage(HttpSenderHandler.java:78) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:147) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:129) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:66) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?]
	at java.lang.Thread.run(Thread.java:833) ~[?:?]

Additional context

No response

Would you like to help fix this issue?

  • Yes

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 30 (15 by maintainers)

Most upvoted comments

Thank you for looking into this. It’s a simple demo project for an ASP.NET Core Web API. Make sure you run it targeting IIS Express to get the windows authentication features working

WindowsAuth.zip

+2
SteveSterleyNSC on Nov 18, 2023

Our team have spent hours trying to get ZAP working last week and we are running into the exact same issue. It does not seem to pass an authentication token through when connecting through the proxy.

I have actually noticed that there are two errors in the history when trying to visit an app that requires Windows Auth.

The first error is the regular 401 Unauthorised that you would expect IIS to return if you were not passing through NTLM authentication details:

image

You will notice here that the outgoing request has no Authorization header

GET http://localhost:28864/api/User/GetCurrentUser HTTP/1.1 host: localhost:28864 Proxy-Connection: keep-alive sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

The next error that gets triggered is a 502 Bad Gateway which is the error that everybody else here is reporting:

image

Currently I am demonstrating the problem above on a development laptop running visual studio. You could replicate it by spinning up any web application application in visual studio that requires windows authentication and then attempting to navigate to one of its pages through ZAP.

I also have this same problem when I publish the app and host it in IIS (and have a set up similar to the person above me)

+1
SteveSterleyNSC on Nov 18, 2023

Sure:

ZAP Error [java.io.IOException]: java.lang.IllegalStateException: AuthScheme is null

Stack Trace:
java.lang.IllegalStateException: AuthScheme is null
	at org.apache.hc.core5.util.Asserts.notNull(Asserts.java:56)
	at org.apache.hc.client5.http.impl.auth.HttpAuthenticator.updateAuthState(HttpAuthenticator.java:216)
	at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.needAuthentication(ZapProtocolExec.java:276)
	at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:188)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:481)
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:362)
 [wrapped] java.io.IOException: java.lang.IllegalStateException: AuthScheme is null
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:374)
	at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116)
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:363)
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:331)
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:287)
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:258)
	at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:63)
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:303)
	at org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler.handleMessage(HttpSenderHandler.java:78)
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151)
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131)
	at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67)
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94)
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Unknown Source)
Support info (click the triangle/control to the left to expand) 
OWASP ZAP
Version: 2.12.0

Installed Add-ons: [[id=alertFilters, version=15.0.0],
[id=ascanrules, version=55.0.0], [id=automation,
version=0.29.0], [id=bruteforce, version=13.0.0],
[id=callhome, version=0.6.0], [id=commonlib,
version=1.14.0], [id=custompayloads, version=0.12.0],
[id=database, version=0.1.0], [id=diff, version=12.0.0],
[id=directorylistv1, version=5.0.0], [id=domxss,
version=15.0.0], [id=encoder, version=1.1.0], [id=exim,
version=0.5.0], [id=formhandler, version=6.3.0], [id=fuzz,
version=13.9.0], [id=gettingStarted, version=14.0.0],
[id=graaljs, version=0.3.0], [id=graphql, version=0.16.0],
[id=help, version=15.0.0], [id=hud, version=0.16.0],
[id=invoke, version=12.0.0], [id=network, version=0.9.0],
[id=oast, version=0.15.0], [id=onlineMenu, version=10.0.0],
[id=openapi, version=33.0.0], [id=pscanrules,
version=49.0.0], [id=quickstart, version=37.0.0],
[id=replacer, version=12.0.0], [id=reports, version=0.21.0],
[id=requester, version=7.2.0], [id=retest, version=0.5.0],
[id=retire, version=0.23.0], [id=reveal, version=5.0.0],
[id=scripts, version=38.0.0], [id=selenium,
version=15.12.1], [id=soap, version=17.0.0], [id=spider,
version=0.4.0], [id=spiderAjax, version=23.14.1], [id=tips,
version=10.0.0], [id=webdriverwindows, version=55.0.0],
[id=websocket, version=28.0.0], [id=zest, version=38.0.0]]

Operating System: Windows 10
Architecture: amd64
Java Version: Oracle Corporation 20.0.1
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
Default Charset: UTF-8
ZAP Home Directory: C:\Users\...\OWASP ZAP\
ZAP Installation Directory: C:\Program Files\OWASP\Zed Attack Proxy\.\
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

</details>
+1
pavelsukhahevvolo on Jun 12, 2023

I have the same problem, here’s the Support Info…

Support Info (click the triangle/control to the left to expand) 
OWASP ZAP
Version: 2.12.0

Installed Add-ons: [[id=alertFilters, version=15.0.0],
[id=ascanrules, version=55.0.0], [id=authhelper,
version=0.8.0], [id=automation, version=0.29.0],
[id=bruteforce, version=13.0.0], [id=callhome,
version=0.6.0], [id=commonlib, version=1.14.0],
[id=custompayloads, version=0.12.0], [id=database,
version=0.1.0], [id=diff, version=12.0.0],
[id=directorylistv1, version=5.0.0], [id=domxss,
version=15.0.0], [id=encoder, version=1.1.0], [id=exim,
version=0.5.0], [id=formhandler, version=6.3.0], [id=fuzz,
version=13.9.0], [id=gettingStarted, version=14.0.0],
[id=graaljs, version=0.3.0], [id=graphql, version=0.16.0],
[id=help, version=15.0.0], [id=hud, version=0.16.0],
[id=invoke, version=12.0.0], [id=network, version=0.9.0],
[id=oast, version=0.15.0], [id=onlineMenu, version=10.0.0],
[id=openapi, version=33.0.0], [id=pscanrules,
version=49.0.0], [id=quickstart, version=37.0.0],
[id=replacer, version=12.0.0], [id=reports, version=0.21.0],
[id=requester, version=7.2.0], [id=retest, version=0.5.0],
[id=retire, version=0.23.0], [id=reveal, version=5.0.0],
[id=scripts, version=38.0.0], [id=selenium,
version=15.12.1], [id=soap, version=17.0.0], [id=spider,
version=0.4.0], [id=spiderAjax, version=23.14.1], [id=tips,
version=10.0.0], [id=webdrivermacos, version=56.0.0],
[id=websocket, version=28.0.0], [id=zest, version=38.0.0]]

Operating System: Mac OS X
Architecture: x86_64
Java Version: Eclipse Adoptium 11.0.16.1
System's Locale: uk_UA
Display Locale: uk_UA
Format Locale: uk_UA
Default Charset: UTF-8
ZAP Home Directory: /Users/.../Library/Application Support/ZAP/
ZAP Installation Directory: /Applications/OWASP ZAP.app/Contents/Java/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
+1
pavelsukhahevvolo on Jun 8, 2023

I don’t think there is but will check.

+1
thc202 on Apr 21, 2023
Read more comments on GitHub
← zaproxy: AJAX Spider - Default Allowed Resources Missing
zaproxy: Automation framework - Unable to generate report →