ZAP Authentication Issue for Form based Authentication
15 views
Skip to first unread message
Manali Bandivadekar
Jan 5, 2026, 2:50:26 AMJan 5
to ZAP Developer Group
ZAP Form Based Authentication shows inconsistent behavior during authenticated scanning. In some cases, authentication is reported as successful even when incorrect credentials are provided, while in other cases authentication intermittently fails despite valid credentials. Additionally, after login, ZAP is often unable to reliably self-crawl authenticated application URLs, resulting in limited authenticated scan coverage.
Steps to Reproduce
- Create a new context and include the target application URLs.
- Configure authentication (Form-based).
- Configure logged-in and logged-out indicators.
- Create a user and set authentication credentials.
- Trigger authentication using authenticate_as_user.
- Run an authenticated Spider scan (scan_as_user).
- Observe inconsistent authentication detection and no crawling of authenticated URLs.
Observations:
- With Correct Authentication Credentials - It shows Auth Status as False (checked with the Authenticate as user API).
- With Wrong Credentials - It shows Auth Status as True (checked with Authenticate as user API)
Please help me understand the point of failure or anything missing.
thc202
Jan 5, 2026, 2:52:14 AMJan 5
to zaproxy...@googlegroups.com
Hi,
This is not a dev related question, use the User Group for usage questions.
Make sure your logged in/out indicators are correct.
Best regards.
On 05/01/2026 04:23, Manali Bandivadekar wrote:
>
>
> ZAP Form Based Authentication shows inconsistent behavior during
> authenticated scanning. In some cases, authentication is reported as
> successful even when incorrect credentials are provided, while in other
> cases authentication intermittently fails despite valid credentials.
> Additionally, after login, ZAP is often unable to reliably self-crawl
> authenticated application URLs, resulting in limited authenticated scan
> coverage.
>
> Steps to Reproduce
>
> 1. Create a new context and include the target application URLs.
> 2. Configure authentication (Form-based).
> 3. Configure logged-in and logged-out indicators.
> 4. Create a user and set authentication credentials.
> 5. Trigger authentication using authenticate_as_user.
> 6. Run an authenticated Spider scan (scan_as_user).
> 7. Observe inconsistent authentication detection and no crawling of
> authenticated URLs.
>
>
> Observations:
>
> 1. With Correct Authentication Credentials - It shows Auth Status as
This is not a dev related question, use the User Group for usage questions.
Make sure your logged in/out indicators are correct.
Best regards.
On 05/01/2026 04:23, Manali Bandivadekar wrote:
>
>
> ZAP Form Based Authentication shows inconsistent behavior during
> authenticated scanning. In some cases, authentication is reported as
> successful even when incorrect credentials are provided, while in other
> cases authentication intermittently fails despite valid credentials.
> Additionally, after login, ZAP is often unable to reliably self-crawl
> authenticated application URLs, resulting in limited authenticated scan
> coverage.
>
> Steps to Reproduce
>
> 2. Configure authentication (Form-based).
> 3. Configure logged-in and logged-out indicators.
> 4. Create a user and set authentication credentials.
> 5. Trigger authentication using authenticate_as_user.
> 6. Run an authenticated Spider scan (scan_as_user).
> 7. Observe inconsistent authentication detection and no crawling of
> authenticated URLs.
>
>
> Observations:
>
> 1. With Correct Authentication Credentials - It shows Auth Status as
> False (checked with the Authenticate as user API).
> 2. With Wrong Credentials - It shows Auth Status as True (checked with
Reply all
Reply to author
Forward
0 new messages