Reputation: 6571
OWASP ZAP Authentication - can't stop it using zap/zap
I can't get zap past the login page. It just fixates on the login and forgotten password forms.
I have followed various official HOWTOs and this FAQ but even though I have deleted the zap user, it still uses login_id=ZAP&password=ZAP when trying to log in.
I'm in standard mode, forced user mode, forced user is defined, logged in and logged out strings are defined - and I have tried others.
login form target url: https://xxx.yyy.net/affiliate_login_action.ido
login request POST data: login_id={%username%}&password={%password%}
logged in regex: \QLogout\E
logged out regex: \QAgent Login\E
I can't think what else to try.
Upvotes: 1
Views: 882
Answers (1)
Reputation: 22054
The regexs doesn't seem right. In my experience when you don't specify correct login/logout regexs ZAP is using just ZAP, ZAP.
Try to change regexs to .*\QLogout\E.* and .*\QAgent Login\E.*
Upvotes: 1
Related Questions
- OWASP/ZAP dangling when trying to scan
- Get Exception in thread "main" org.zaproxy.clientapi.core.ClientApiException: Does Not Exist on running form ans script authentication using zap api
- Passive Scan in OWASP ZAP Authentication
- Basic Authorization in OWASP ZAP
- ZEST script authentication using OWASP ZAP
- OWASP Zap - same results whether logged in or not
- ZAP keeps scanning unnecessary URLs
- OWASP ZAP disable POST requests (out of scope)
- ZAP Authentication using API calls
- I'm Unable to spider the web page after form-based authentication using Zap-Cli