Authentication Helper

This add-on helps identify and set up authentication handling in ZAP.
It is initially aimed at manual use but the end goal is to make all of the key features available via automation.
It is currently at a very early stage of development - feedback on the existing functionality is very much appreciated, especially details of commonly used username and password fields in languages other than English.

The add-on can be used in 2 ways:

  • To passively detect authentication features.
  • To automatically configure ZAP to handle the authentication features discovered.

See below for the authentication features currently supported.

By default the add-on will raise informational alerts detailing any authentication features identified.

However if any of the authentication features are part of a ZAP Context which uses the “Manual” authentication method (the default), then the add-on will update that context to handle the authentication features if possible.

This add-on does not currently perform any exploring on its own - it relies upon requests being proxied through ZAP (e.g. via a browser being manually controlled, or integration tests) or requests being generated by ZAP (e.g. via the traditional or AJAX spiders).

To automatically configure authentication handling in ZAP:

  1. Launch your preferred browser (Firefox or Chrome) from ZAP
  2. Open your app in the browser
  3. Add all of the sites your app uses to a ZAP Context
  4. Authenticate to your app via the browser using valid credentials

If the add-on identifies an authentication request that is part of the context you have defined then an informational alert will be raised and the authentication method should be correctly set in the context you have created.
If an authentication request is not identified then check to make sure it is made to a site which is included in the context.
If it is not then add the site to the context and authenticate again via your browser.

Authentication Request Identification

This add-on includes a passive scan rule which attempts to identify authentication requests.
It identifies authentication requests by the presence of commonly used username and password field names. It also uses commonly used URL segments to identify more likely authentication requests, and uses commonly used registration URL segments to ignore registration requests.

The rule will not attempt to identify very unusual authentication requests - automation is one of the end goals so false negatives (missing unusual authentication requests) is more desirable than false positives (incorrectly identifying an authentication request).
The ‘other’ field is used to report a set of key-value pairs which can be easily parsed. The current keys supported are:

  • userParam
  • userValue
  • passwordParam
  • csrfToken

There can potentially be multiple csrfTokens.

The rule will currently identify:

  • Form-based authentication requests
  • JSON-based authentication requests

Latest code: