ZAP Authentication

Most apps protect their main functionality using authentication. If you cannot authenticate to the app then you will not be able to find the most interesting and impactful vulnerabilities. Unfortunately authentication is hard, especially as there are so many different ways that apps handle authentication.

These pages will tell you everything you need to know about testing an app with valid credentials in ZAP, they do not cover testing the authentication mechanism itself.

How to make your life easier - authentication is hard, don't make it harder than it needs to be

Manual authentication - how you can authenticate when testing manually

ZAP authentication concepts - you will need to understand these in order to configure authentication in ZAP

Handling authentication yourself in automation - Coming Soon

Session handling - Coming Soon

Authentication methods - Coming Soon

Verification strategies - Coming Soon

Authentication in the browser - Coming Soon

Testing authentication - Coming Soon

Monitoring with statistics - Coming Soon