ZAP has options for auto-detecting all of the different parts of authentication that it requires. If they work for your apps then it will make your life considerably easier, so this is the best place for you to start.

Authentication Tester Dialog

The Authentication Tester Dialog is a quick and easy way to check if ZAP can automatically detect all of the information it needs - you only need to provide the URL of your login page and valid credentials.

If everything passes then auto-detection is probably going to be your best option.

If it fails then the dialog will collect sanitised diagnostics which you can safely share with us in order to help identify what is going wrong.

Auto Detection in the Desktop

The Authentication Tester Dialog will automatically create a new Context for you (by default “Authentication Test”). This will be updated with the details that ZAP detects.

You can also set up authentication auto-detection manually in the ZAP Desktop by:

Auto Detection in the Automation Framework

You can use authentication auto-detection in an Automation Framework plan by configuring the environment like:

  - name: "simple-json"
    - "http://localhost:9091/auth/simple-json"
    - "http://localhost:9091/auth/simple-json.*"
    excludePaths: []
      method: "browser"
        loginPageUrl: "http://localhost:9091/auth/simple-json/"
        loginPageWait: 5
        browserId: "firefox-headless"
        method: "autodetect"
      method: "autodetect"
      parameters: {}
    - name: "test"
        username: "[email protected]"
        password: "password123"

See the Authentication Auto-Detection blog post for more details.

Auto Detection in the API

Auto-detection is currently not supported in the API due to Core restrictions. These restrictions will be removed in a future full release.