This add-on helps identify and set up authentication handling in ZAP.
It is initially aimed at manual use but the end goal is to make all of the key features available via automation.
It is currently at a very early stage of development - feedback on the existing functionality is very much appreciated, especially details of commonly used username and password fields in languages other than English.
The add-on can be used in 2 ways:
The features currently supported are:
However if any of the authentication features are part of a ZAP Context which uses the “Manual” authentication method (the default), then the add-on will update that context to handle the authentication features if possible.
This add-on does not currently perform any exploring on its own - it relies upon requests being proxied through ZAP (e.g. via a browser being manually controlled, or integration tests) or requests being generated by ZAP (e.g. via the traditional or AJAX spiders).
To automatically configure authentication handling in ZAP when accessing a site manually:
You can also now configure ZAP to handle authentication automatically via the Automation Framework by supplying just the login URL and the user credentials in the environment:
env:
contexts:
- name: "target"
urls:
- https://example.com
includePaths: []
excludePaths: []
authentication:
method: "browser"
parameters:
loginPageUrl: "https://example.com/login"
verification:
method: "poll"
sessionManagement:
method: "autodetect"
users:
- name: "[email protected]"
credentials:
username: "[email protected]"
password: "password123"
ZAP Blog Post: Authentication Help/ |