Authentication in ZAP

Hi all, In this article, I will describe how to add authentication in Zed Attack Proxy aka ZAP.

First of all, we need to do proxy settings. In order to do this settings open ZAP and go to Tools –> Options

Then, click “LocalProxy” and fill “Address” with “localhost”, Port with “8484” values. (Note: Port value is changeable. You can set any empty port number.)

After that, open Firefox or Chrome to do proxy settings. I selected Firefox. Open Firefox and go to
Tools –>Options –> Advanced –> Network –> Settings

Then, select “Manual proxy configuration” and set ip and port values as same as we entered in ZAP.

Then, visit the URL you want to test and you will see that zap captures the requests and responses.

After these settings, login the site with credentials.

At left pane, select the website that you are testing and include in Context as shown below.

Then, find your login page’s POST request and right click and add a Form-based Auth Login Request as shown below.
Flag as Context –> Default Context: Form-based Auth Login Request

Then, ZAP automatically fills “Login Request POST Data” after that you have to select username and password parameters by using dropdown values.

And then, click “Users” and add a user.

And for “Regex pattern identified in Logged in response messages” part, you need to check your login response and select a significant part that shows that we logged in such as “click to logout”.

Then, ZAP automatically sets logged in response message part.

Finally, you can test your settings. Right click login POST request and click Resend.

Send Login Request

Check Login Response which consists of user information and 200 OK response

Now, we can do our security test with these login credentials.

Happy testing! ;)

-Onur

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.