Issue
When using an authentication script with HawkScan, the scan terminates with the following error:
Authentication Configuration Error: Script <scriptname> failed: null: nodename nor servname provided, or not known
In the scan logs, a more verbose version is also present:
2023-01-27 14:55:03,971 [DefaultDispatcher-worker-1] ERROR ScriptBasedAuthenticationMethodType - An error occurred while trying to authenticate using the Authentication Script: custom_json_payload.js
org.graalvm.polyglot.PolyglotException: null: nodename nor servname provided, or not known
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:360) ~[?:?]
at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:298) ~[?:?]
at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:266) ~[?:?]
[...]
Cause
The login URL parameter in app.authentication.script has been configured incorrectly.
For instance, with the Custom JSON payload script, the error will occur if a relative path is specified rather than a complete URL.
For instance (incorrect):
script:
name: custom_json_payload.js
parameters:
login_url: /api/jwt/auth/signin
credentials:
username: ${USERNAME}
password: ${PASSWORD}
Instead of (correct):
script:
name: custom_json_payload.js
parameters:
login_url: https://localhost:9000/api/jwt/auth/signin
credentials:
username: ${USERNAME}
password: ${PASSWORD}
Explanation
While various elements in stackhawk.yml (for instance, openApiConf.filePath) use a relative path convention, parameters passed to authentication scripts need to follow the expectations of the underlying script language.
For the javascript authentication scripts, this is often something like new URI(paramsValues.get("login_url"), false);, which requires a full URI.
Solution
Specify the full URI in login_url.