ZAP can handle a wide range of authentication mechanisms.
Each Context has:
You can use any combination of Authentication Method and Verification Strategy which works for your webapp.
In order to perform the authentication of a user on a website / in a webapp, the Authentication Method and Verification Strategy define how the authentication is done (the process), while the necessary credentials (the exact identifiers) are dependent on the user, so, in ZAP, they are configured in the Users.
The generic main steps that are needed to configure authentication for a web application are the following:
A configuration example showing how to fully configure a webapp that uses form-based authentication , cookie-based session management and returns full HTML pages (including an indication of whether the user is logged in) is seen below:
After configuring authentication, various actions are available in ZAP. For example, you can now select the user in the Spider dialogue. Or, using the Forced User Mode, you can force all the interactions that go through ZAP for a given Context to be from the perspective of a User. The Forced User Mode is enabled via a button in the toolbar (the one with the user and the lock) and is configured via Session Properties -> Forced User Mode.
Most of the steps above apply as well for other authentication methods. The only things that change when trying to configure authentication using a different method is step 6. Instead of that, select the authentication method required from the drop-down list and configure it as needed. More details about configuring each type of authentication can be found in the Authentication Methods page and in the Context Session screens.
A set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner:
|Session Properties dialog|
|Youtube tutorial||of the Authentication, Session Management and Users Management features of ZAP [external link to https://youtu.be/cR4gw-cPZOA].|
|UI Overview||for an overview of the user interface|
|Features||provided by ZAP|
|Session Contexts Dialog||for an overview of the Session Properties|
|Users||for an overview of Users|
|Anti-CSRF tokens||for an overview of anti-CSRF tokens|
|ZAP In Ten: Authentication: Basic and Digest (9:57)|
|ZAP In Ten: Authentication: Form Based (12:59)|
|ZAP In Ten: ADDO Automation and Authentication Workshop (8 videos)|