Help in Debugging Authentication Automation

Max Canada

unread,

Oct 27, 2025, 9:36:28 AM (12 days ago) Oct 27

to ZAP User Group

Hello,

I am running ZAP on the desktop. I am using the Authentication Tester tool and have an authentication context. I am using browser based authentication and am using the auto-detection strategy for verification. I have it on a delay so I can watch it in the automated google chrome test browser instance as it attempts to login. It is able to successfully login, but then after doing so replaces the Session Management section with headers that are incorrect. Is there a recommended way to fix this?

- Max

Max Canada

unread,

Oct 27, 2025, 12:48:45 PM (12 days ago) Oct 27

to ZAP User Group

Ok I was able to figure it out. Turns out it had to do with excluding something in the context.

I am now getting the following issue when trying to run the automation framework as part of a CI pipeline for the spiderAjax jobs "Verification URL not identified"

This is strange because in the desktop when running an automation test I am seeing a test successful except apparently the desktop does NOT check for the verification URL?

I have tried checking the documentation at https://www.zaproxy.org/docs/authentication/update-the-context/. If I have a specific URL I would like to use, would I update the Regex pattern used to describe Logged in messages as

https://my-site.com/homepage

? If so, how would I account for if the page changes after logging in? Would I just check for something like a homepage and ZAP can figure it out from there?

- Max

Simon Bennetts

unread,

Nov 3, 2025, 5:52:02 AM (5 days ago) Nov 3

to ZAP User Group

Hi Max,

How well do you know your application?

You need to include all of the relevant domains in the context, for example API domains.

We actually need to enhance the Authentication Tester to make it easy to add more domains - we're hoping to get to that soon.

If that doesnt help then have a look at https://www.zaproxy.org/docs/getting-further/authentication/finding-a-verification-url/

Cheers,

Simon

Max Canada

unread,

Nov 3, 2025, 5:00:17 PM (5 days ago) Nov 3

to ZAP User Group

Hey Simon,

Appreciate the response. I know it pretty well. I have added the API domains to be included in the context, but not part as the target if I am making sense.

I would have thought that if I specify the target URL as "https://example.com", and that if it has a login page it would be redirected to the login page if I hit the home page "https://example.com/home". So then using the home page as a verification URL would make sense because I would receive a 200 instead of a 4xx or 3xx when trying to hit it. Am I making sense? Am I also thinking about things the right way?

- Max

Simon Bennetts

unread,

Nov 5, 2025, 10:47:48 AM (3 days ago) Nov 5

to ZAP User Group

Hiya Max,

Yes, you are thinking in the right way.

And that sounds like a sane app - if only they all worked in that way :D

We have found that apps work so many different (and bizarre) ways that we've had to make ZAP incredibly flexible to cope with them all!

FYI we have just updated the Authentication Tester to allow you to include domains, which should make testing easier.