Issue
When using the access-token-session.js session script in conjunction with an authentication script, HawkScan terminates with the following error:
Script access-token-session.js failed: JSONObject["access_token"] not found.
In the scan logs, a more verbose version is also present:
2022-09-01 10:46:06,823 [DefaultDispatcher-worker-1] ERROR ExtensionTalonHawkscan - Scan Config Error com.stackhawk.zap.extension.talon.hawkscan.api.AuthConfigException: Script access-token-session.js failed: JSONObject["access_token"] not found. at
...
Caused by: org.graalvm.polyglot.PolyglotException: JSONObject["access_token"] not found.
In addition, other errors may exist in the scan logs which provide additional context.
Cause
Immediate Cause:
Either:
The authentication script (or other AuthN mechanism configured in
stackhawk.yml) failed to obtain a token from the login endpointThe authentication mechanism succeeded, but the authorization mechanism (token or cookie) returned was something other than an
access_token
Explanation
Session scripts run immediately after the authentication / AuthN method is performed.
The access-token-session.js session script sets the session context of the scanner with a token that has been obtained by the scanner in that prior step.
As it was designed for common OAuth 2.0 flows used by Auth0 and Okta which return a token with the access_token prefix, that's what the script is looking for specifically/exclusively (it does not track cookies at all or tokens with any other prefixes (e.g., Bearer)).
Example authentication scripts for which access-token-session.js can be used:
When the authentication step fails to obtain an access_token in the response, the session script will throw the above error and the scan will terminate.
Example:
In the error below, the 'JSONObject not found' error in the scan logs was due to the user's Auth0 configuration not allowing the specific OAuth grant type (Resource Owner Password) that the authentication script was configured to use:
2022-09-01 10:46:05,796 [DefaultDispatcher-worker-6] WARN ScanResponseInputHandler$Companion - MSG request body: client_id=[REDACTED]&client_secret=[REDACTED]&grant_type=password&username=[REDACTED]&audience=${YOUR_API_IDENTIFIER}&password=[REDACTED]
2022-09-01 10:46:06,361 [DefaultDispatcher-worker-6] WARN ScanResponseInputHandler$Companion - {"error":"unauthorized_client","error_description":"Grant type 'password' not allowed for the client.","error_uri":"https://auth0.com/docs/clients/client-grant-types"}
Solution
Troubleshoot the Authentication phase to ensure that a token is being obtained initially for ingest by the session script
Ensure that the token obtained from the Authentication phase is indeed an
access_token; if not (e.g., if you're using a custom auth script that obtains a token with a different name), modify the session script to look for the correct token prefix.
Troubleshooting Note: the session script logs debug messages to the scan logs with 'MSG request' and 'MSG response' prefixes due to the print lines in the script such as:
print('JS mgmt script: got token ' + token)print('JS mgmt script: no token')
You can also customize these scripts to add your own print lines for additional debug.
Additional Information
Session scripts are a subset of httpsender scripts. For more information on using httpsender scripts, see Using custom httpsender scripts with HawkScan.