Authentication - Manual

If you are just performing manual testing then authentication is generally easier.

With manual testing you should be exploring the target app manually with a browser that is proxying through ZAP. In this case you can just use the valid credentials in the browser and in most cases you will be logged in.

HTTP Sessions

Many apps use cookies as a way to associate different HTTP requests as being part of the same application session. Note that these application sessions can be authenticated or unauthenticated.

The ZAP Params tab lists all of the parameters for each site, including:

  • Cookies
  • Headers
  • Form parameters
  • URL parameters

ZAP Params tab

If ZAP identifies a cookie that is typically used for session handling then it will add the “session” flag to it. If ZAP mis-identifies a cookie then you can right click it in the table and choose to add or remove the session flag.

The ZAP HTTP Sessions tab lists all of the HTTP sessions it has identified for each site. If you have flagged a new session cookie then you may need to make some new requests with that cookie before the session will be listed here.

ZAP HTTP Sessions tab

A set of right click options allow you to perform session related actions.

Active Session

You can right click any of the known sessions in the HTTP Sessions tab and set them as active.

ZAP will then add that session cookie to all requests to that site, whether they are requests that have been proxied through ZAP or requests generated by ZAP, for example by one of the spiders or the active scanner.

ZAP tools like the spiders and active scanner typically replay the previously recorded requests and only modify the parts that they need to. Defining a session as active will ensure that these tools use the right cookie for the active session.

Using an active session also allows you to switch quickly and easily between different app sessions as part of your manual testing.