ZAP supports multiple Verification Strategies in order to detect when messages correspond to authenticated requests.
When this strategy is used then ZAP will use the specified Regex Patterns on every response. This is typically useful for traditional webapps which return full HTML pages.
When this strategy is used then ZAP will use the specified Regex Patterns on every request. This is typically useful for modern webapps which maintain some session state client side, such as a JWT, which is submitted with every request.
When this strategy is used then ZAP will use the specified Regex Patterns on both the request and response of every message.
When this strategy is used then ZAP will poll the specified URL at the given frequency. Messages will be treated as logged in or logged out based on the last poll request. The specified Regex Patterns will only be used on the response to the poll request. This strategy is typically useful for any application for which there is at least one URL that can reliably be used to detect if a user is logged in or out.
All of the strategies use 2 Regex Patterns to tell if a specified message is logged in or not. You can supply one or both regexes - if you do not supply either then the Authentication Strategy will not be used.
To set one of the Logged in/out Indicators , either type the regex directly in the Session Context Authentication screen dialog -> Authentication panel -> Logged In/Out Indicator field , or find an authenticated message in the Sites Tree or History tab, select it, open the Response View and select the text you wish to define as the indicator using the mouse and select the Flag as Context… Logged in/out indicator right-click menu option.
|Session Properties dialog|
|Youtube tutorial||of the Authentication, Session Management and Users Management features of ZAP [external link to https://youtu.be/cR4gw-cPZOA].|
|UI Overview||for an overview of the user interface|
|Features||provided by ZAP|
|Session Contexts Dialog||for an overview of the Session Properties|
|Users||for an overview of Users|
|Anti-CSRF tokens||for an overview of anti-CSRF tokens|