How to perform authentication with ZAP and HTTP 302

Question

I have been using ZAP for a while and I am familiar with its basic functionality.

Currently I am facing the following problem: I have a web application in which the login page (POST request) generates a 302 response with EMPTY content, that means that I cannot determine which string/regex I should pass to ZAP as either log in or log out indicator.

I have tried to use regex for log in/log out indicator from either the login page or the home page (once the user is log in), however this poses a problem.

1-ZAP Detects the user is not loged in (because, say the log in indicator string is not present) 2-ZAP automatically sends the POST request that I have flagged as form-based authentication 3-The post request returns a HTTP 302 with an empty body 4-As ZAP cannot find in the HTTP 302 body neither the login nor the logout indicator, I am returned to the login page, so auto login does not work.

What should I do in this scenario? as I have mentioned, I have successfully used ZAP auto login for other projects/applications within seconds, but this HTTP 302 with empty response body is posing a problem.

Advices?

Answer 1

You may well need to use scripting. Either an authentication script or an http_sender script that automatically follows the redirect. Might be easier to discuss this in more details on the ZAP User Group: http://groups.google.com/group/zaproxy-users

Cheers,

Simon (ZAP Project Lead)