Sunil Dutt
Reputation: 13
How to pass userid and password while doing automated scan in OWASP ZAP
Passing user id and password to login page via OWASP ZAP
Hi, I am doing a OWASP ZAP test by building small application with Login and Landing page, but not sure how can i pass userid and password to login page via ZAP Automated scan so that it can scan the landing page,please help.
Upvotes: 1
Views: 5442
Answers (1)
Simon Bennetts
Reputation: 6186
Theres a FAQ for that ;) https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Via the UI:
- Explore your app while proxying through ZAP
- Login using a valid username and password
- Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
- Find the 'Login request' in the Sites or History tab
- Right click it and select "Flag as Context" / " Form-based Auth Login request"
- Check that the Username and Password parameters are set correctly - they almost certainly wont be!
- Find a string in a response which can be used to determine if the user is logged in or not
- Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
- Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
- Navigate to the Context "Forced User" page and make sure the user you want to test is selected
- The "Forced User Mode disabled - click to enable" button should now be enabled
- Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
- context/includeInContext
authentication/setAuthenticationMethod
- authMethodName : formBasedAuthentication
- authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D authentication/setLoginIndicator or setLogoutIndicator forcedUser/setForcedUserModeEnabled
The values for
authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
Upvotes: 4
Related Questions
- How to login and scan with OWASP Zap
- OWASP ZAP, how to authenticate using Form-based Auth Login context and POST request
- Run a active scan from OWASP ZAP through Ubuntu command line using Open API Definition
- How to run ZAP scan in command line?
- Read OTP from DataBase for OWASP ZAP authentication
- Passive Scan in OWASP ZAP Authentication
- Adding authentication in ZAP tool to attack a URL
- Authentication script not executed before run active scan or crawling
- ZEST script authentication using OWASP ZAP
- OWASP ZAP Passive scan script