Professional Documents
Culture Documents
Authentication
To set one of the Logged in/out Indicators, either type the regex directly in the
Session Properties dialog -> Authentication panel -> Logged In/Out Indicator field,
either find an authenticated message in the Sites Tree, select it, open the Response
View and select the text you wish to define as the indicator using the mouse and
select the Flag as Context... Logged in/out indicator right-click menu option.
The generic main steps that are needed to configure authentication for a web
application are the following:
4. configure a set of users for the context that directly correspond to the
authentication method for the context
Authentication methods can be used in multiple places around ZAP. Some of the
examples include:
Multiple authentication methods have been implemented and the system supports
easy addition of new methods, according to user needs. They main ones are
described below.
Manual Authentication
This method allows users to perform the authentication manually (e.g. authenticate in
the browser while proxy-ing through ZAP) and then select the corresponding HTTP
session. As the actual authentication is being performed by you, this method does
not support re-authentication in case the webapp logs a user out.
When using this authentication method, configuring a User for the context require
choosing an authenticated HTTP session.
Form-BasedAuthentication
When using this authentication method, configuring a User for the context requires
setting up the username/password pair of credentials that are used for the form
based authentication.
Authentication 3/5
If the application requires submitting the anti-CSRF token presented in the login
page, ZAP will handle it automatically. Make sure the token name is configured in
Options Anti CSRF screen.
JSON-Based Authentication
When using this authentication method, configuring a User for the context requires
setting up the username/password pair of credentials that are used for the
authentication.
HTTP/NTLMAuthentication
This method is used for websites / webapps where authentication is enforced using
the HTTP or NTLM Authentication mechanisms employing HTTP message headers.
Three authentication schemes are supported: Basic, Digest and NTLM.
Re-authentication is possible, as the authentication headers are sent with every
authenticated request. Configuration can be done using the Session Contexts Dialog.
When using this authentication method, configuring a User for the context requires
setting up the username/password pair of credentials that are used for the
HTTP/NTLM authentication.
Script-Based Authentication
This method is useful for websites / webapps where the authentication is a more
complex one and some custom scripts that handle the authentication process are
beneficial. To use this method, you must first define an Authentication script which
sends messages or performs other actions as needed by your web-application. This
script is then selected for use for a given Context and it is called whenever an
authentication is performed. Re-authentication is possible. Configuration can be
done using the Session Contexts Dialog and requires you to have the Scripts
Console ZAP Addon installed from the Marketplace.
When using this authentication method, configuring a User for the context requires
Authentication 4/5
setting up the a set of parameters defined in the script. For more details, see the
provided Authentication Script examples.
Configuration example
Most of the steps above apply as well for other authentication methods. The only
things that change when trying to configure authentication using a different method
are steps 3, 4, 5 and 6. Instead of these, select the authentication method required
from the drop-down list and configure it as needed. More details about configuring
each type of authentication can be above and here.
Configured via
See also
Session
Contexts for an overview of the Session Properties
Dialog
Anti-CSRF
for an overview of anti-CSRF tokens
tokens