1. Documentation
2. The OWASP ZAP Desktop User Guide
3. Add-ons
4. Authentication Helper

Authentication Helper

This add-on helps identify and set up authentication handling in ZAP.
It is initially aimed at manual use but the end goal is to make all of the key features available via automation.
It is currently at a very early stage of development - feedback on the existing functionality is very much appreciated, especially details of commonly used username and password fields in languages other than English.

The add-on can be used in 2 ways:

• To passively detect authentication features.
• To automatically configure ZAP to handle the authentication features discovered.

The features currently supported are:

• Authentication Request Identification
• Auto-Detect Authentication
• Browser Based Authentication
• Session Management Identification
• Auto-Detect Session Management
• Header Based Session Management
• Verification Identification

However if any of the authentication features are part of a ZAP Context which uses the “Manual” authentication method (the default), then the add-on will update that context to handle the authentication features if possible.

This add-on does not currently perform any exploring on its own - it relies upon requests being proxied through ZAP (e.g. via a browser being manually controlled, or integration tests) or requests being generated by ZAP (e.g. via the traditional or AJAX spiders).

To automatically configure authentication handling in ZAP when accessing a site manually:

1. Launch your preferred browser (Firefox or Chrome) from ZAP
2. Open your app in the browser
3. Add all of the sites your app uses to a ZAP Context
4. Change the contect to use “Auto-Detect” Authentication and Session Management
5. Authenticate to your app via the browser using valid credentials

You can also now configure ZAP to handle authentication automatically via the Automation Framework by supplying just the login URL and the user credentials in the environment:

env:
  contexts:
  - name: "target"
    urls:
    - https://example.com
    includePaths: []
    excludePaths: []
    authentication:
      method: "browser"
      parameters: 
        loginPageUrl: "https://example.com/login"
      verification:
        method: "poll"
    sessionManagement:
      method: "autodetect"
    users:
    - name: "[email protected]"
      credentials:
        username: "[email protected]"
        password: "password123"

Links