Jenkins : zap-plugin Script-Based Auth

Script-Based Authentication

  1. Username and Password
    • This allows you to configure the username and password for a User that may be used during Attack Mode actions (Spider Scan and Active Scan).
  2. Logged in Indicator
    • The Logged in indicator, when present in a response message (either the header or the body), signifies that the response message corresponds to an authenticated request.

      e.g. presence of a logout link or a Welcome back, User X pattern.

      Info: Indicator should be a Regex in the form of: .\Qlogout=\E.

  3. Script
    • Name of the script to load..

      Required: To use this authentication method, you first need to write (and save) an Authentication Script. See here for details.

      Required: The username parameter (variable name) in the script (.js or .zst) needs to be Username (case sensitive). The password parameter (variable name) in the script (.js or .zst) needs to be Password (case sensitive).

      Info: Your authentication scripts should be stored under the path given above for ZAP Settings.
      e.g. If ZAP Settings = C:\Users\<USER_ID>\OWASP ZAP_D
      then the scripts should be saved under C:\Users\<USER_ID>\OWASP ZAP_D\scripts\scripts\authentication

  4. Add Authentication Script Parameter(s)
    • This fields allows you to add ZAP authentication script parameters.

      Notice: Parameter Names and Parameter Values are case sensitive.


SCRIPT_AUTH.png (image/png)