Authentication Helper on ZAP

Authentication Request Identification

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Request Identification

This add-on includes a passive scan rule which attempts to identify authentication requests.
It identifies authentication requests by the presence of commonly used username and password field names. It also uses commonly used URL segments to identify more likely authentication requests, and uses commonly used registration URL segments to ignore registration requests.

Auto-Detect Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Auto-Detect Authentication

This add-on adds a new authentication type which you can use to indicate that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.

Browser Based Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Browser Based Authentication

This add-on adds a new authentication method which uses a browser to login to the target website.

The authentication method requires the login URL and user credentials to perform the authentication. By default it automatically attempts to find suitable fields for the username and for the password, in the same page and multiple pages (i.e. password field is only made visible when the username has been entered).

Session Management Identification

Mon, 01 Jan 0001 00:00:00 +0000

Session Management Identification

This add-on includes a passive scan rule which attempts to identify session management methods.
It identifies session management methods by the presence of commonly used session management identifiers and any values specified in Authorization request headers.

The rule will not attempt to identify very unusual session management methods - automation is one of the end goals so false negatives (missing unusual session management methods) are more desirable than false positives (incorrectly identifying a session management method).

Client Script Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Client Script Authentication

This add-on adds a new authentication type which uses a browser to login to the target website.

This functionality leverages Zest scripts (which may have been recorded via the ZAP Browser Extension) to login.

Automation Framework

Client Script Authentication can be configured in the environment section of an Automation Framework plan using:

Auto-Detect Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Auto-Detect Session Management

This add-on adds a new Session Management type which you can use to indicate that the Session Management Request Identification passive scan rule should attempt to configure the Session Management method automatically.

Header Based Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Header Based Session Management

This add-on adds a new session management type which supports an arbitrary number of headers.

If used in conjunction with Browser Based Authentication or Client Script Authentication then it will also maintain all of the cookies and any headers with names containing the strings “auth” or “csrf” (ignoring case) set as part of authentication.

Verification Request Identification

Mon, 01 Jan 0001 00:00:00 +0000

Verification Request Identification

This add-on includes a passive scan rule which attempts to identify Verification requests.
Verification requests are the requests that ZAP uses to tell if a session is still valid.

Unlike the other identification scan rules in this add-on, this rule will only raise alerts if you have indicated that you want to use verification auto-detection for a specific context. Due to the way the ZAP 2.12 core works it is not currently possible to add a new Verification Method Type dynamically. Instead you will need to:

Authentication Tester Dialog

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Tester Dialog

This dialog allows you to test if ZAP can authenticate and automatically handle the session handling and verification for a site given only the login page and credentials.

Fields

The following fields are provided:

Report Templates

Mon, 01 Jan 0001 00:00:00 +0000

Report Templates

This add-on provides the following report templates:

Name / Link to Details, Screenshot/Sample	ID	Format	Sections	Themes
Authentication Report - JSON	auth-report-json	JSON	Yes

Authentication Report - JSON

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Report - JSON

This is a specialized report which details how authentication handling worked for the given site.

You must specify the site you want the report for otherwise no data will be generated.

This report is designed to be run after attempting to access at least one authenticated URL with the authentication method set up correctly and with valid credentials.