Script-Based Authentication
- Username and Password
- This allows you to configure the username and password for a User that may be used during Attack Mode actions (Spider Scan and Active Scan).
- This allows you to configure the username and password for a User that may be used during Attack Mode actions (Spider Scan and Active Scan).
- Logged in Indicator
- The Logged in indicator, when present in a response message (either the header or the body), signifies that the response message corresponds to an authenticated request.
e.g. presence of a logout link or a Welcome back, User X pattern.
Info: Indicator should be a Regex in the form of:
.\Qlogout=\E.
- The Logged in indicator, when present in a response message (either the header or the body), signifies that the response message corresponds to an authenticated request.
- Script
- Name of the script to load..
Required: To use this authentication method, you first need to write (and save) an Authentication Script. See here for details.
Required: The username parameter (variable name) in the script (.js or .zst) needs to be
Username
(case sensitive). The password parameter (variable name) in the script (.js or .zst) needs to bePassword
(case sensitive).Info: Your authentication scripts should be stored under the path given above for
ZAP Settings
.
e.g. IfZAP Settings
=C:\Users\<USER_ID>\OWASP ZAP_D
then the scripts should be saved underC:\Users\<USER_ID>\OWASP ZAP_D\scripts\scripts\authentication
- Name of the script to load..
- Add Authentication Script Parameter(s)
- This fields allows you to add ZAP authentication script parameters.
Notice: Parameter Names and Parameter Values are case sensitive.
- This fields allows you to add ZAP authentication script parameters.