From 3c4b8785b174c320f3ffd30a23a8981b5c03e1df Mon Sep 17 00:00:00 2001
From: goldrak <goldrak@gmail.com>
Date: Fri, 9 Feb 2024 10:08:03 +0100
Subject: [PATCH 1/2] Create LaravelInertia.js

Signed-off-by: goldrak <goldrak@gmail.com>
---
 authentication/LaravelInertia.js | 148 +++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 authentication/LaravelInertia.js

diff --git a/authentication/LaravelInertia.js b/authentication/LaravelInertia.js
new file mode 100644
index 00000000..b0ae5eda
--- /dev/null
+++ b/authentication/LaravelInertia.js
@@ -0,0 +1,148 @@
+/*
+ * A script to provide authentication for Laravel InertiaJS apps.
+ *
+ * First it makes a GET request and obtains the XSRF-TOKEN and Cookie Session from the response body.
+ *
+ * Then it makes a POST request with a body which contains username, password and X-XSRF-TOKEN.
+ *
+ * A successful login will result in a 302 redirect. If this happens, a GET request is made to the redirect URL.
+ *
+ * Every request made by this script is logged separately to the History tab.
+ */
+
+
+function authenticate(helper, paramsValues, credentials) {
+
+  var AuthenticationHelper = Java.type('org.zaproxy.zap.authentication.AuthenticationHelper');
+  var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader");
+  var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader");
+  var URI = Java.type("org.apache.commons.httpclient.URI");
+
+  var targetURL = paramsValues.get("Target URL");
+  var baseURL = targetURL.match(/^(.+?[^\/:](?=[?\/]|$))/i)[1];
+
+  //
+  // First, make a GET request to the login page to get and extract the
+  // csrfmiddlewaretoken from it.
+  //
+
+  // Build message.
+  var firstRequestURI = new URI(targetURL, false);
+  var firstRequestMethod = HttpRequestHeader.GET;
+  var firstRequestMainHeader = new HttpRequestHeader(firstRequestMethod, firstRequestURI, HttpHeader.HTTP11);
+  var firstMsg = helper.prepareMessage();
+  firstMsg.setRequestHeader(firstRequestMainHeader);
+
+
+  // Send message.
+  helper.sendAndReceive(firstMsg, false);
+
+  // Add message to ZAP history.
+  AuthenticationHelper.addAuthMessageToHistory(firstMsg);
+
+
+  // Get the csrf token from the response.
+  var csrfTokenValueRegEx = /XSRF-TOKEN=([A-Za-z0-9]*%3D)/i;
+
+  var csrfTokenValue = firstMsg.getResponseHeader().toString().match(csrfTokenValueRegEx)[1];
+
+
+  // Get the csrf token from the response.
+  var cookieSessionRegEx = /osdo_session=([A-Za-z0-9]*%3D)/i;
+  var cookieSessionValue = firstMsg.getResponseHeader().toString().match(cookieSessionRegEx)[1];
+
+
+  // Get Inertia version
+  var dataPageRegEx = /<div id=\"app\" data-page=\"([^\"]+)\"/i
+  var dataPageValue = firstMsg.getResponseBody().toString().match(dataPageRegEx)[1];
+
+  var dataPageJsonString = dataPageValue.replace(/&quot;/g, '"');
+  var dataPageObject;
+
+  dataPageObject = JSON.parse(dataPageJsonString);
+
+  if (dataPageObject) {
+    var inertiaVersion = dataPageObject.version;
+  }
+
+  // Now, make a POST request to the login page with user credentials and
+
+  var secondRequestURI = new URI(targetURL, false);
+  var secondRequestMethod = HttpRequestHeader.POST;
+  var secondRequestHeader = new HttpRequestHeader(secondRequestMethod, secondRequestURI, HttpHeader.HTTP11);
+
+  var secondMsg = helper.prepareMessage();
+  secondMsg.setRequestHeader(secondRequestHeader);
+
+  // add headers
+  secondMsg.getRequestHeader().setHeader("X-XSRF-TOKEN", decodeURIComponent(csrfTokenValue));
+  secondMsg.getRequestHeader().setHeader("Content-Type", "application/json");
+  secondMsg.getRequestHeader().setHeader("X-Requested-With", "XMLHttpRequest");
+  secondMsg.getRequestHeader().setHeader("Referer", "https://app.opensecdevops.com/login");
+  secondMsg.getRequestHeader().setHeader("X-Inertia", 'true');
+  secondMsg.getRequestHeader().setHeader("X-Inertia-Version", inertiaVersion);
+  secondMsg.getRequestHeader().setHeader("Accept", "text/html, application/xhtml+xml");
+
+  // Send cookies
+  secondMsg.getRequestHeader().setHeader(HttpHeader.COOKIE, "XSRF-TOKEN=" + csrfTokenValue + "; osdo_session=" + cookieSessionValue);
+
+  // Build body credentials
+  var postData = {
+    "email": credentials.getParam("Username"),
+    "password": credentials.getParam("Password"),
+    "remember": ""
+  };
+
+
+  secondMsg.setRequestBody(JSON.stringify(postData));
+
+
+  secondMsg.getRequestHeader().setContentLength(secondMsg.getRequestBody().length());
+
+  helper.sendAndReceive(secondMsg, false);
+
+  // Get the status code of the response.
+  // Aquí puedes verificar el código de estado de la respuesta para confirmar si la autenticación fue exitosa
+  var secondResponseStatusCode = secondMsg.getResponseHeader().getStatusCode();
+
+  //
+  // If the login is successful, the login page will respond with a 302
+  // redirect. If it does, follow that redirect.
+  //
+  if (secondResponseStatusCode == "302" && secondMsg.getResponseHeader().getHeader('Location') != targetURL) {
+    // Add secondMsg to ZAP history
+    AuthenticationHelper.addAuthMessageToHistory(secondMsg);
+
+    // Build the URL to redirect to.
+    var redirectURL = secondMsg.getResponseHeader().getHeader('Location');
+
+    // Build message.
+    var thirdRequestURI = new URI(redirectURL, false);
+    var thirdRequestMethod = HttpRequestHeader.GET;
+    var thirdRequestMainHeader = new HttpRequestHeader(thirdRequestMethod, thirdRequestURI, HttpHeader.HTTP11);
+    var thirdMsg = helper.prepareMessage();
+    thirdMsg.setRequestHeader(thirdRequestMainHeader);
+
+    helper.sendAndReceive(thirdMsg, false);
+
+    return thirdMsg;
+  } else {
+    return secondMsg;
+  }
+
+}
+
+
+function getRequiredParamsNames() {
+  return ["Target URL", "Username field", "Password field", "Session Cookie name"];
+}
+
+
+function getOptionalParamsNames() {
+  return ["Extra POST data"];
+}
+
+
+function getCredentialsParamsNames() {
+  return ["Username", "Password"];
+}

From 5012a229d855b849f5cca4df2075d13a20ab5e22 Mon Sep 17 00:00:00 2001
From: goldrak <goldrak@gmail.com>
Date: Fri, 9 Feb 2024 11:32:34 +0100
Subject: [PATCH 2/2] Update LaravelInertia.js

Signed-off-by: goldrak <goldrak@gmail.com>
---
 authentication/LaravelInertia.js | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/authentication/LaravelInertia.js b/authentication/LaravelInertia.js
index b0ae5eda..c190fdd2 100644
--- a/authentication/LaravelInertia.js
+++ b/authentication/LaravelInertia.js
@@ -46,7 +46,7 @@ function authenticate(helper, paramsValues, credentials) {
 
   var csrfTokenValue = firstMsg.getResponseHeader().toString().match(csrfTokenValueRegEx)[1];
 
-
+  var cookieName = paramsValues.get("Session Cookie name") 
   // Get the csrf token from the response.
   var cookieSessionRegEx = /osdo_session=([A-Za-z0-9]*%3D)/i;
   var cookieSessionValue = firstMsg.getResponseHeader().toString().match(cookieSessionRegEx)[1];
@@ -57,9 +57,7 @@ function authenticate(helper, paramsValues, credentials) {
   var dataPageValue = firstMsg.getResponseBody().toString().match(dataPageRegEx)[1];
 
   var dataPageJsonString = dataPageValue.replace(/&quot;/g, '"');
-  var dataPageObject;
-
-  dataPageObject = JSON.parse(dataPageJsonString);
+  var dataPageObject = JSON.parse(dataPageJsonString);
 
   if (dataPageObject) {
     var inertiaVersion = dataPageObject.version;
@@ -78,7 +76,7 @@ function authenticate(helper, paramsValues, credentials) {
   secondMsg.getRequestHeader().setHeader("X-XSRF-TOKEN", decodeURIComponent(csrfTokenValue));
   secondMsg.getRequestHeader().setHeader("Content-Type", "application/json");
   secondMsg.getRequestHeader().setHeader("X-Requested-With", "XMLHttpRequest");
-  secondMsg.getRequestHeader().setHeader("Referer", "https://app.opensecdevops.com/login");
+  secondMsg.getRequestHeader().setHeader("Referer", targetURL);
   secondMsg.getRequestHeader().setHeader("X-Inertia", 'true');
   secondMsg.getRequestHeader().setHeader("X-Inertia-Version", inertiaVersion);
   secondMsg.getRequestHeader().setHeader("Accept", "text/html, application/xhtml+xml");
@@ -88,8 +86,8 @@ function authenticate(helper, paramsValues, credentials) {
 
   // Build body credentials
   var postData = {
-    "email": credentials.getParam("Username"),
-    "password": credentials.getParam("Password"),
+    paramsValues.get("Username field"): credentials.getParam("Username"),
+    paramsValues.get("PPassword field") : credentials.getParam("Password"),
     "remember": ""
   };
 
@@ -102,7 +100,6 @@ function authenticate(helper, paramsValues, credentials) {
   helper.sendAndReceive(secondMsg, false);
 
   // Get the status code of the response.
-  // Aquí puedes verificar el código de estado de la respuesta para confirmar si la autenticación fue exitosa
   var secondResponseStatusCode = secondMsg.getResponseHeader().getStatusCode();
 
   //
@@ -137,12 +134,6 @@ function getRequiredParamsNames() {
   return ["Target URL", "Username field", "Password field", "Session Cookie name"];
 }
 
-
-function getOptionalParamsNames() {
-  return ["Extra POST data"];
-}
-
-
 function getCredentialsParamsNames() {
   return ["Username", "Password"];
 }