Posted Monday January 1, 0001
452 Words
These are the concepts that you will need to understand in order to configure authentication in ZAP.
Contexts ZAP contexts are a way of relating a set of URLs together. You can define any contexts you like, but it is expected that a context will correspond to a web application.
Posted Monday January 1, 0001
340 Words
Authentication is a key way of restricting access to an app. Some authentication mechanisms also make it significantly harder to use tools like ZAP, even for those people who have permission to use them.
Test in a Safe Environment Testing with valid credentials in a production environment is a really bad idea.
Posted Monday January 1, 0001
339 Words
If you are just performing manual testing then authentication is generally easier.
With manual testing you should be exploring the target app manually with a browser that is proxying through ZAP. In this case you can just use the valid credentials in the browser and in most cases you will be logged in.
Posted Monday January 1, 0001
554 Words
If ZAP is handling authentication then it needs to handle sessions as well - logging in is of no use if ZAP does not maintain the session as the target app will just treat ZAP as being unauthenticated.
Session management configuration is part of a ZAP context.
Posted Monday January 1, 0001
277 Words
If you ask a question related to authentication on one of the ZAP forums then you will be directed here.
We know that the ZAP authentication documentation needs improving. One of the reasons why it has not been improved is that we are too busy trying to answer authentication questions 😉.
Posted Monday January 1, 0001
249 Words
If you need to set up ZAP to handle authentication then you really need to find a suitable verification URL in your app.
The verification URL will be one that you can request from the Manual Request Editor dialog and which will send a response that allows you to work out whether you are logged in or not.
Posted Monday January 1, 0001
461 Words
If you can generate an authentication token (e.g. to use in a header or cookie) and you know that your app will not invalidate it while you are using ZAP then one option is to handle authentication yourself.
In this case you take on the responsibility for handling the authentication and session handling.