ZAP Automation Plan

31 views
Skip to first unread message

Declan McLeman

unread,
Oct 15, 2025, 3:18:11 AMOct 15
to ZAP User Group

We’re using the automation plan to test whether the endpoints have proper authorization. I’ve had some success combining the Replacer and Requestor, but there’s one missing piece — the ability to pass a variable from one request to the next.

For example:

  • The Job Requestor sends a request to .../list as a user.

  • The next request retrieves the first item from that list using .../get(<first_item>).

Is it currently possible to pass data between requests within the automation plan, or is that something planned for a future update?

Simon Bennetts

unread,
Oct 15, 2025, 4:34:16 AMOct 15
to ZAP User Group
Hi Declan,

Thats a bit too detailed for the Automation Framework - that works at a higher level.
However we have a couple of options which may we work for you, depending on your requirements.

Zest scripts are designed for exactly this sort of thing: https://www.zaproxy.org/docs/desktop/addons/zest/
You can create these scripts from within ZAP, recording them or copying in requests from the History.
You can then edit them to add and use variables.

Our documentation is a bit out of date I'm afraid, but do check the videos on https://www.zaproxy.org/videos-list/ (search for Zest in the title).

If thats not what you need then we also support other scripting languages, which are extreamly flexible and powerful.

Can you explain in more detail what you need to do?

Cheers,

Simon

declan....@gmail.com

unread,
Oct 15, 2025, 6:15:54 PMOct 15
to zaprox...@googlegroups.com

Hi Simon,

 

Thanks for getting back to me! I had looked into the zest script before, but I wasn’t sure how to integrate the authentication process available with the automation plan with the zest script. That is, how to integrate the headers so that it includes the correct tokens after automatically logging in.

 

The objective is to confirm that the portal used by the company is still properly secure and correctly authenticated at updates. Ideally this would mean checking that the CRUD of each feature still matches the documented specs for what each role can access. Ideally this would be a mapping of the walkthrough of the highest privilege access, then a repeat of the walkthrough on a lower access with correct 401 status returns. With just the requestor, we can check most pages, but not the creation and deletion features, as that would require accessing the new unique id which isn’t know prior to creation.

 

With the zest script, is it possible to get the authentication token from ZAP’s process and then use that in sending requests along with creating variables from the response to be used in sending further responses?

 

Regards,

Declan

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/uuFDQXewprw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/d0525ffb-f5e0-4e3e-a0a9-c440a42a8401n%40googlegroups.com.

Simon Bennetts

unread,
Oct 21, 2025, 1:10:54 PMOct 21
to ZAP User Group
Hey Declan,

OK, I think we may have a problem with that :/
I don't think that right now we'll be able to get Zest to make authenticated requests .. but I can see why that would be really useful!

Let me discuss it with the team and we'll see what we can come up with ...

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages