To check the session is valid before doing the active scan

18 views

Skip to first unread message

C PQ

unread,

Jan 16, 2025, 4:49:14 AMJan 16

to ZAP Developer Group

Hi,

I followed the guide from https://www.zaproxy.org/docs/developer/creating-new-addon-in-zap-extensions/ and created a new AddOn. My new addon is able to run in ZAP. For the addon, I use it for the active scan and inherited AbstractAppParamPlugin (reference from ascanrules). How do I check whether the session is valid and if is not valid, authenticate the user from context in the scan(HttpMessage msg, String param, String value) function?

Thanks.

Regards,

Pei Qi

psiinon

unread,

Jan 16, 2025, 5:05:52 AMJan 16

to ZAP Developer Group

Hi Pei Qi,

You dont need to check if the session is valid - ZAP does that for you. If theres no active session then it will go through the authentication process.

You will need to have configured authentication for your context, see https://www.zaproxy.org/docs/authentication/

Then you can call the ExtensionActiveScan startScan(String name, Target target, User user, Object[] contextSpecificObjects) method with the relevant User you want ZAP to use.

Cheers,

Simon

Reply all

Reply to author

Forward

0 new messages