ZAP Authentication not working

Ashok Kumar

unread,

Jan 14, 2018, 2:30:29 PM1/14/18

to OWASP ZAP User Group

Trying to use ZAP 2.7.0 for spidering against my internal javascript based website. I used AJAX spider but I see that it is entering random username even after doing the proper configuration. Also, tried using ZEST based recording for authentication but same issue. I did following:

Launched firefox from ZAP and logged into Website. Now, I can see my website under the "Sites" tab.
Defined the new context and added my site into it.
Selected the POST Login request for my site and did right click and selected as "Flag as Context" / " Form-based Auth Login request"
Configured the Username and Password parameter correctly under "Authentication" in the context.
Set the Log in and Log out indicator
Created a new user with valid username and password (Same as what was used in the POST Login, mentioned in Step 3) under "Users" option in the context

After doing above steps, tried to run following:

Ran "Ajax Spider" using the above context and the user. I see ZAP launching firefox then it opens my website login page but enters a random username and then eventually login fails and the spider stops. Expected it to use the the Username and Password configured in the above steps and crawl further after successful login.
Just to check if ZAP is able to spider, I ran the "Spider" (normal Spider option) and I see it uses "ZAP" as username and password both in the POST Login request and eventually login fails and it is not able to spider further. Expected it to use the Username and Password configured in the above steps as "Spider" was run as this user in the context.

Please let me know if i'm missing something here or is there a genuine issue with ZAP.
Looking forward for the help. Thanks.

Michal Kraus

unread,

Jan 15, 2018, 4:21:13 AM1/15/18

to OWASP ZAP User Group

I had same problem, already reported in https://groups.google.com/d/msg/zaproxy-users/3c_NeCQz1dQ/Z2bIcV2zAQAJ

Ashok Kumar

unread,

Jan 16, 2018, 12:54:22 AM1/16/18

to OWASP ZAP User Group

Thanks for update Michal. Do you have problem with form based authentication or with script based (zest) authentication. I face issue with Form based authentication and also with script based authentication. Any idea if ZAP 2.6.0 works fine?

Michal Kraus

unread,

Jan 16, 2018, 2:30:51 AM1/16/18

to OWASP ZAP User Group

I have a problem with script based (zest) authentication. I didn't check form based authentication.

Probably change in ZAP core (https://github.com/zaproxy/zaproxy/issues/4079) has broken this as script authentication is not working with lower versions of Zest (tried v24 and v25)

thc...@gmail.com

unread,

Jan 16, 2018, 6:25:26 AM1/16/18

to zaprox...@googlegroups.com

Hi.

If the normal spider is sending ZAP/ZAP and the AJAX Spider sending
random data it means that the authentication was not successful. That's
the default behaviour when dealing with forms.

Could you check:
https://github.com/zaproxy/zaproxy/wiki/FAQformauth#diagnosing-problems

to know if there's something wrong with the auth setup?

Best regards.

On 14/01/18 19:30, Ashok Kumar wrote:
>
>
> Trying to use ZAP 2.7.0 for spidering against my internal javascript based
> website. I used AJAX spider but I see that it is entering random username
> even after doing the proper configuration. Also, tried using ZEST based
> recording for authentication but same issue. I did following:
>

> 1. Launched firefox from ZAP and logged into Website. Now, I can see my

> website under the "Sites" tab.

> 2. Defined the new context and added my site into it.
> 3. Selected the POST Login request for my site and did right click and

> selected as "Flag as Context" / " Form-based Auth Login request"

> 4. Configured the Username and Password parameter correctly under
> "Authentication" in the context.
> 5. Set the Log in and Log out indicator
> 6. Created a new user with valid username and password (Same as what was

> used in the POST Login, mentioned in Step 3) under "Users" option in the
> context
>
> After doing above steps, tried to run following:
>

> 1.

>
> Ran "Ajax Spider" using the above context and the user. I see ZAP
> launching firefox then it opens my website login page but enters a random
> username and then eventually login fails and the spider stops. Expected it
> to use the the Username and Password configured in the above steps and
> crawl further after successful login.

> 2.

Ashok Kumar

unread,

Jan 16, 2018, 9:05:58 AM1/16/18

to OWASP ZAP User Group

Followed all the steps listed at this link: https://github.com/zaproxy/zaproxy/wiki/FAQformauth#diagnosing-problems

But I still face the same issue. Have you tried form based authentication for JavaScript based website and does it work fine?

Am I missing anything else here?

Ashok Kumar

unread,

Jan 22, 2018, 7:49:05 AM1/22/18

to OWASP ZAP User Group

Hi Guys.. Please help me here if anyone came across same issue or if you have any suggestions..

Reply all

Reply to author

Forward