Users are the ZAP representations of websites/webapps’ users. They allow certain actions to be performed from the point of view of an user of the webapps. For each Context, a set of Users can be defined, which can then be used in actions related to the context. Most commonly, during various scans the request messages can be sent from the point of view of a User.
The concept of Users is tightly tied to the concepts of Session Management and Authentication. When a User is first used somewhere in ZAP, an authentication is performed (according to the Authentication Method defined for the Context) and a Session is created and configured for this user (according to the Session Management defined for the Context). After that, requests sent from the point of view of a User are modified (if necessary) and sent in such a way that the web server identifies them as being sent by an authenticated webapp/website user. If anytime a User appears to be unauthenticated (as determined by the Authentication Verification Strategy), a new authentication is performed and the Session is updated accordingly.
In order to perform the authentication of a user on a website / in a webapp, the Authentication Method defines how the authentication is done (the process), while the necessary credentials (the exact identifiers) are dependent on the user, so, in ZAP, they are configured in the Users.
|Session Contexts Dialog|
|Youtube tutorial||of the Authentication, Session Management and Users Management features of ZAP [external link to https://youtu.be/cR4gw-cPZOA].|
|Authentication Overview||for an overview of Authentication in ZAP|
|UI Overview||for an overview of the user interface|
|Features||provided by ZAP|
|Session Contexts Dialog||for an overview of the Session Properties|