Skip to content

FAQformauth

Jump to bottom Edit New page
psiinon edited this page Jun 4, 2015 · 11 revisions

How can ZAP automatically authenticate via forms?

ZAP supports form based authentication, and can automatically (re)authenticate, for example when using the Spider or Active Scanner.

There are a few steps required to set this up which can be performed via either the UI or the API.

Via the UI:

  1. Explore your app while proxying through ZAP
  2. Login using a valid username and password
  3. Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
  4. Find the 'Login request' in the Sites or History tab
  5. Right click it and select "Flag as Context" / " Login Request"
  6. Find a string in a response which can be used to determine if the user is logged in or not
  7. Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant
  8. The "Automatic re-authentication" button should now be enabled
  9. Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.

Via the API the process is the same but using the API calls:

  1. context/includeInContext
  2. auth/setLoginUrl
  3. auth/setLoginIndicator or setLogoutIndicator
  4. auth/autoReauthOn

Back to the FAQ

Add a custom footer
Clone this wiki locally