Login Authentication with 3 Credentials needed.

LSTV Jhen Butawan

unread,

Feb 11, 2022, 10:59:04 AM2/11/22

to OWASP ZAP User Group

I configured using form based but during ajax scan it gives 2 random text credentials ... Pls advise on how to authenticate 3 assigned parameters. Do i need to make a script for this?

Thank you so much!

Simon Bennetts

unread,

Feb 11, 2022, 11:10:13 AM2/11/22

to OWASP ZAP User Group

Yes, you will probably need to use an authentication script.

If the browser maintains authentication state you'll also need to use other scripts such as httpsender and selenium.

Start by going through these pages: https://www.zaproxy.org/docs/authentication/

Then have a look at this video: https://play.vidyard.com/TMcBcuhyPt57sUqPcJUtpv

Cheers,

Simon

LSTV Jhen Butawan

unread,

Feb 11, 2022, 11:28:21 AM2/11/22

to OWASP ZAP User Group

Thank u so much , this really help... so cool js custom script..

LSTV Jhen Butawan

unread,

Feb 12, 2022, 4:36:55 AM2/12/22

to OWASP ZAP User Group

code.PNG

LSTV Jhen Butawan

unread,

Feb 12, 2022, 4:37:58 AM2/12/22

to OWASP ZAP User Group

I am still getting the same response upon running spider using script-based auth.Pls, advise sir..

kingthorin+owaspzap

unread,

Feb 12, 2022, 4:13:08 PM2/12/22

to OWASP ZAP User Group

Chances are you haven't set the logged in/logged out indicator or whatever you set it do isn't properly identifying the authentication state of the user.

LSTV Jhen Butawan

unread,

Feb 20, 2022, 10:07:47 PM2/20/22

to OWASP ZAP User Group

can u please advise the step by step scripts to define in order to achieve ajax spider authenticate 3 login credentials, i have watch the videos about session and selenium but the examples are all in juice shop. I am stuck into this.. pls advise

LSTV Jhen Butawan

unread,

Feb 20, 2022, 11:47:00 PM2/20/22

to OWASP ZAP User Group

how to enable these fields, im using 2.11.1

Simon Bennetts

unread,

Feb 21, 2022, 4:20:59 AM2/21/22

to OWASP ZAP User Group

Hiya,

The Ajax Spider will not perform authentication for you.

You need to get authentication working in the "standard" case when you get send a request, e.g. from the Manual Request Editor and only when that is working should you look at configuration for the Ajax Spider.

If the browser does not maintain any authentication state then it should be relatively straightforward.

If it does maintain authentication state then you will need to inject that state using a selenium script.

I cover that in this video: https://play.vidyard.com/igf3A8UdZ6QAGiFjEpLH86

We will be adding to the docs on https://www.zaproxy.org/docs/authentication/ but as you can see these are Work In Progress :)

Cheers,

Simon

LSTV Jhen Butawan

unread,

Feb 21, 2022, 7:05:26 AM2/21/22

to OWASP ZAP User Group

thank u for the advise sir, will work into this.

Reply all

Reply to author

Forward