Trouble figuring forma based authenticated scan using "autoDetectAuthentication" in python
54 views
Skip to first unread message
Kushankur Das
Jul 15, 2025, 4:04:03 PMJul 15
to ZAP User Group
I'm currently trying to set up a form-based authenticated scan using the autoDetectAuthentication method in Python (ZAP API), but I'm facing some challenges. Despite passing the login URL and relevant parameters, the authentication does not seem to be detected or configured correctly, and the scan is not crawling authenticated areas of the application.
Here’s a quick overview of what I’ve attempted:
-
Used autoDetectAuthentication with the target login URL
-
Provided expected parameters (username, password fields)
-
Confirmed that manual login via browser works correctly
It would be great if you could help clarify:
-
The expected structure or prerequisites for successful auto-detection
-
Any specific headers or settings that must be passed along with the call
-
Whether autoDetectAuthentication works with JavaScript-heavy login forms
Let me know if you’d like a snippet of my current code or any additional context.
Kushankur Das
Jul 15, 2025, 4:13:59 PMJul 15
to ZAP User Group
Logs: 21301 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080
zap_1 | 23241 [ZAP-IO-Server-1-1] INFO org.parosproxy.paros.control.Control - New session file created: /home/zap/.ZAP/session/clean-session.session
zap_1 | 23400 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.SpiderThread - Starting spidering scan on Context: AutoDetectContext at 2025-07-15T20:13:16.017+0000
zap_1 | 23403 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Spider initializing...
zap_1 | 23407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Starting spider...
zap_1 | 23407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Scan will be performed from the point of view of User: simpl...@authenticationtest.com
zap_1 | 23414 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: simpl...@authenticationtest.com
zap_1 | 23414 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authentication failed for user: simpl...@authenticationtest.com
zap_1 | 24198 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: simpl...@authenticationtest.com
zap_1 | 24199 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication failed for user: simpl...@authenticationtest.com
zap_1 | 24504 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.addon.spider.Spider - Spidering process is complete. Shutting down...
zap_1 | 24505 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.addon.spider.SpiderThread - Spider scanning complete: true on Context: AutoDetectContext at 2025-07-15T20:13:17.122+00
zap_1 | 23241 [ZAP-IO-Server-1-1] INFO org.parosproxy.paros.control.Control - New session file created: /home/zap/.ZAP/session/clean-session.session
zap_1 | 23400 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.SpiderThread - Starting spidering scan on Context: AutoDetectContext at 2025-07-15T20:13:16.017+0000
zap_1 | 23403 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Spider initializing...
zap_1 | 23407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Starting spider...
zap_1 | 23407 [ZAP-SpiderInitThread-0] INFO org.zaproxy.addon.spider.Spider - Scan will be performed from the point of view of User: simpl...@authenticationtest.com
zap_1 | 23414 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: simpl...@authenticationtest.com
zap_1 | 23414 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User - Authentication failed for user: simpl...@authenticationtest.com
zap_1 | 24198 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: simpl...@authenticationtest.com
zap_1 | 24199 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication failed for user: simpl...@authenticationtest.com
zap_1 | 24504 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.addon.spider.Spider - Spidering process is complete. Shutting down...
zap_1 | 24505 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.addon.spider.SpiderThread - Spider scanning complete: true on Context: AutoDetectContext at 2025-07-15T20:13:17.122+00
Kushankur Das
Jul 15, 2025, 5:28:07 PMJul 15
to ZAP User Group
I also tried Browser based authentication - but it also gives me this error
352636 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.users.User - An error occurred while authenticating:
zap_1 | org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
zap_1 | Build info: version: '4.34.0', revision: '707dcb4246*'
zap_1 | System info: os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.104-linuxkit', java.version: '17.0.15'
zap_1 | Driver info: org.openqa.selenium.firefox.FirefoxDriver
zap_1 | Command: [f84cb7e3-4c5b-458d-8a6c-c35611d2bf39, get {url=https://practicetestautomation.com/practice-test-login/}]
zap_1 | Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 128.12.0, moz:accessibilityChecks: false, moz:buildID: 20250616190003, moz:geckodriverVersion: 0.36.0, moz:headless: true, moz:platformVersion: 5.10.104-linuxkit, moz:processID: 176, moz:profile: /tmp/rust_mozprofile0p7tak, moz:shutdownTimeout: 60000, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: dismiss and notify, userAgent: Mozilla/5.0 (X11; Linux x86..., webSocketUrl: ws://127.0.0.1:21090/sessio...}
zap_1 | Session ID: f84cb7e3-4c5b-458d-8a6c-c35611d2bf39
zap_1 | at org.openqa.selenium.remote.http.jdk.JdkHttpClient.execute(JdkHttpClient.java:427) ~[?:?]
zap_1 | at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:212) ~[?:?]
zap_1 | at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:216) ~[?:?]
zap_1 | at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:174) ~[?:?]
zap_1 | at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:544) ~[?:?]
zap_1 | at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:312) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.AuthUtils.authenticateAsUserImpl(AuthUtils.java:427) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.BrowserBasedAuthenticationMethodType$BrowserBasedAuthenticationMethod.authenticateImpl(BrowserBasedAuthenticationMethodType.java:327) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.BrowserBasedAuthenticationMethodType$BrowserBasedAuthenticationMethod.authenticate(BrowserBasedAuthenticationMethodType.java:295) ~[?:?]
zap_1 | at org.zaproxy.zap.users.User.authenticate(User.java:271) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:170) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:378) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:351) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:307) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:278) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:234) [network-beta-0.22.0.zap:?]
zap_1 | at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:536) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.fetchResource(SpiderTask.java:435) [spider-release-0.15.0.zap:?]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.runImpl(SpiderTask.java:185) [spider-release-0.15.0.zap:?]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.run(SpiderTask.java:157) [spider-release-0.15.0.zap:?]
zap_1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
zap_1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
zap_1 | at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
zap_1 | Caused by: java.util.concurrent.TimeoutException
zap_1 | at java.base/java.util.concurrent.CompletableFuture$Timeout.run(CompletableFuture.java:2874) ~[?:?]
zap_1 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[?:?]
zap_1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
zap_1 | at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
zap_1 | ... 3 more
zap_1 | 352658 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication failed for user: student
zap_1 | 352658 [ZAP-IO-Server-1-3] INFO org.zaproxy.zap.users.User - Authenticating user: student
352636 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.users.User - An error occurred while authenticating:
zap_1 | org.openqa.selenium.TimeoutException: java.util.concurrent.TimeoutException
zap_1 | Build info: version: '4.34.0', revision: '707dcb4246*'
zap_1 | System info: os.name: 'Linux', os.arch: 'aarch64', os.version: '5.10.104-linuxkit', java.version: '17.0.15'
zap_1 | Driver info: org.openqa.selenium.firefox.FirefoxDriver
zap_1 | Command: [f84cb7e3-4c5b-458d-8a6c-c35611d2bf39, get {url=https://practicetestautomation.com/practice-test-login/}]
zap_1 | Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 128.12.0, moz:accessibilityChecks: false, moz:buildID: 20250616190003, moz:geckodriverVersion: 0.36.0, moz:headless: true, moz:platformVersion: 5.10.104-linuxkit, moz:processID: 176, moz:profile: /tmp/rust_mozprofile0p7tak, moz:shutdownTimeout: 60000, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: dismiss and notify, userAgent: Mozilla/5.0 (X11; Linux x86..., webSocketUrl: ws://127.0.0.1:21090/sessio...}
zap_1 | Session ID: f84cb7e3-4c5b-458d-8a6c-c35611d2bf39
zap_1 | at org.openqa.selenium.remote.http.jdk.JdkHttpClient.execute(JdkHttpClient.java:427) ~[?:?]
zap_1 | at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:212) ~[?:?]
zap_1 | at org.openqa.selenium.remote.service.DriverCommandExecutor.invokeExecute(DriverCommandExecutor.java:216) ~[?:?]
zap_1 | at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:174) ~[?:?]
zap_1 | at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:544) ~[?:?]
zap_1 | at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:312) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.AuthUtils.authenticateAsUserImpl(AuthUtils.java:427) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.BrowserBasedAuthenticationMethodType$BrowserBasedAuthenticationMethod.authenticateImpl(BrowserBasedAuthenticationMethodType.java:327) ~[?:?]
zap_1 | at org.zaproxy.addon.authhelper.BrowserBasedAuthenticationMethodType$BrowserBasedAuthenticationMethod.authenticate(BrowserBasedAuthenticationMethodType.java:295) ~[?:?]
zap_1 | at org.zaproxy.zap.users.User.authenticate(User.java:271) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:170) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:378) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:351) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:307) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:278) [network-beta-0.22.0.zap:?]
zap_1 | at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:234) [network-beta-0.22.0.zap:?]
zap_1 | at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:536) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) [zap-2.16.1.jar:2.16.1]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.fetchResource(SpiderTask.java:435) [spider-release-0.15.0.zap:?]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.runImpl(SpiderTask.java:185) [spider-release-0.15.0.zap:?]
zap_1 | at org.zaproxy.addon.spider.SpiderTask.run(SpiderTask.java:157) [spider-release-0.15.0.zap:?]
zap_1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
zap_1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
zap_1 | at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
zap_1 | Caused by: java.util.concurrent.TimeoutException
zap_1 | at java.base/java.util.concurrent.CompletableFuture$Timeout.run(CompletableFuture.java:2874) ~[?:?]
zap_1 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[?:?]
zap_1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
zap_1 | at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
zap_1 | ... 3 more
zap_1 | 352658 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User - Authentication failed for user: student
zap_1 | 352658 [ZAP-IO-Server-1-3] INFO org.zaproxy.zap.users.User - Authenticating user: student
Simon Bennetts
Jul 16, 2025, 12:12:52 PMJul 16
to ZAP User Group
Can you try using the ZAP desktop?
That will make debugging much easier.
If you really want to use automation then consider using this Automation Framework script: https://github.com/zaproxy/community-scripts/blob/main/other/af-plans/BrowserAuthTest.yaml
It will generate an Automation Report which will give you _lots_ more info if anything goes wrong: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages