How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
Right click on the authentication request and 'Flag as Context… Form-based Auth Login Request' A window will be opened already containing the request URL and the parameters (if any). Use the dropdown options to select which of the parameters correspond to the username and to the password.
ZAP handles multiple types of authentication (called Authentication Methods ) that can be used for websites / webapps. Each Context has an Authentication Method defined which dictates how authentication is handled. The authentication is used to create Web Sessions that correspond to authenticated webapp Users.
Quite old question but here it goes.
The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to:
Options -> Advanced -> Network -> Settings.
Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.
You can check and configure ZAP port opening ZAP and accessing:
Tools -> Options -> Local Proxy.
Then open your web browser and login to your application. Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:
Include in Context -> Default Context
Now open the HTTP Sessions tab right click on the session and "Set as Active". (HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)
Now you can perform ZAP Spider, Active Scan and so with an logged in session. If this is not your scenario, please provide more info about which authentication method your application is using.
Hope it still helps you or someone searching for similar questions. Thanks,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With