Getting Further with Authentication on ZAP

Authentication - Concepts

Mon, 01 Jan 0001 00:00:00 +0000

These are the concepts that you will need to understand in order to configure authentication in ZAP.

Contexts

ZAP contexts are a way of relating a set of URLs together. You can define any contexts you like, but it is expected that a context will correspond to a web application.

Authentication - Documented SSO Solutions

Mon, 01 Jan 0001 00:00:00 +0000

The following SSO providers have documented solutions for automation.

We will aim to test ZAP with as many of these providers as possible in order to provide specific ZAP integration details. If you would like to help with this effort then please get in touch 😁.

Keycloak

Documentation: https://www.keycloak.org/docs/latest/securing_apps/#_resource_owner_password_credentials_flow
Test service: none

Suggested way to get a session token using a direct grant:

Authentication - Make your Life Easier

Mon, 01 Jan 0001 00:00:00 +0000

Authentication is a key way of restricting access to an app. Some authentication mechanisms also make it significantly harder to use tools like ZAP, even for those people who have permission to use them.

Test in a Safe Environment

Testing with valid credentials in a production environment is a really bad idea. You will pollute data stores with invalid data and you always run the risk of taking the service down or impacting valid users in some other way.

Authentication - Manual

Mon, 01 Jan 0001 00:00:00 +0000

If you are just performing manual testing then authentication is generally easier.

With manual testing you should be exploring the target app manually with a browser that is proxying through ZAP. In this case you can just use the valid credentials in the browser and in most cases you will be logged in.

Authentication - Session Handling

Mon, 01 Jan 0001 00:00:00 +0000

If ZAP is handling authentication then it needs to handle sessions as well - logging in is of no use if ZAP does not maintain the session as the target app will just treat ZAP as being unauthenticated.

Session management configuration is part of a ZAP context.

In the ZAP desktop it is configured via the Context Session Management screen.
In the Automation Framework it is part of a context defined in the environment.
In the API it is configured via endpoints underneath the sessionManagement component.

ZAP supports Cookie and HTTP Authentication Session Management out of the box.

Authentication Methods

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Methods are the means by which ZAP actually authenticates to a web app.

The following methods are supported:

Manual Authentication

This is the default method, and means that you are handling authentication yourself.

Auto-Detection

Mon, 01 Jan 0001 00:00:00 +0000

ZAP has options for auto-detecting all of the different parts of authentication that it requires. If they work for your apps then it will make your life considerably easier, so this is the best place for you to start.

Authentication Tester Dialog

The Authentication Tester Dialog is a quick and easy way to check if ZAP can automatically detect all of the information it needs - you only need to provide the URL of your login page and valid credentials.

Diagnosing Authentication Problems

Mon, 01 Jan 0001 00:00:00 +0000

If you ask a question related to authentication on one of the ZAP forums then you will be directed here.

We know that the ZAP authentication documentation needs improving. One of the reasons why it has not been improved is that we are too busy trying to answer authentication questions 😉.

Finding a Verification URL

Mon, 01 Jan 0001 00:00:00 +0000

If you need to set up ZAP to handle authentication then you really need to find a suitable verification URL in your app.

You should always try Auto Detection first as if this works it will find a suitable verification URL for you.

The verification URL will be one that you can request from the Manual Request Editor dialog and which will send a response that allows you to work out whether you are logged in or not. What that looks like will entirely depend on your app, but could be something like:

Handling Authentication Yourself (in Automation)

Mon, 01 Jan 0001 00:00:00 +0000

If you can generate an authentication token (e.g. to use in a header or cookie) and you know that your app will not invalidate it while you are using ZAP then one option is to handle authentication yourself.

In this case you take on the responsibility for handling the authentication and session handling. This means that you do not have to configure ZAP as much but it also means that ZAP will not be able to help you as much.