Authentication Methods

Authentication Methods are the means by which ZAP actually authenticates to a web app.

The following methods are supported:

Manual Authentication

This is the default method, and means that you are handling authentication yourself.

Auto Detect

Auto-Detect Authentication indicates that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.

Browser Based Authentication

Browser Based Authentication launches a browser which will attempt to fill in the correct credentials for the specified user.

This is often the most effective option, especially for modern apps which you need to explore using the Ajax Spider.

HTTP / NTLM Authentication

This method handles both HTTP and NTLM authentication. You will need to supply the hostname, port and realm.

Form-based Authentication

Form-based Authentication handles traditional HTML FORMs with user and password fields which are submitted using a standard HTTP GET or POST.

JSON-based Authentication

SON-based Authentication handles form-based authentication where the user and password fields are submitted as a JSON object using an HTTP POST.

Script-based Authentication

Script-based Authentication allows you to use a script which will give you complete control over the authentication process.

For examples see the authentication directory in the Community Scripts repo.

Previous Next Verification Strategies (coming soon)