How to add context without logining manually

[Jason Chan 07]

Hi all,

I have a question when I try to use ZAP Desktop to automately scan the vulnerabilities.

When I try to start an active scan, I find I have to login with zap proxy browser otherwise the active scan could only scan some static urls;

And my context is set as:

Name: ${projectName},

URLS:https://${myUrls}.com/

Include: https://${myUrls}.com/api.*

So I just wonder is that possible to login automately rather than logining and exploring manually first.

Best regards,

Jason

[Simon Bennetts]

Hi Jason,

See https://www.zaproxy.org/docs/authentication/ :)

Cheers,

Simon

[Jason Chan 07]

Hi Simon,

Thanks for replying.

Regarding the authentication, we would like to handle it by ourselves considering it's kind of completed.

So we write a nodejs script to get the cookie & csrfToken and append them to the yaml file.

And here's our yaml and authenticate.js file in the attachment section.

Actually I find I can only scan some static url, rather than our apis.

First I think the root cause is we got failed at authentication.

And I find it's passed in the authentication test dialog as below.

Then I think maybe it's because there is no session, so our context matches no api.

Simon, what do you think?

Do you think our solution is reasonable? 

Kind regards,

Jason

[Simon Bennetts]

Hi Jason,

Ooops - looks like there is a bug in the Authentication Tester dialog - it should have said it failed!

It failed to identify the username field, the password field, and the verification url :(

Can you shre the HTML snippets that define these input fields?

For now it looks like you will have to handle authentication yourselves.

I recommend setting up a very simple test case where you set up authentication and make one authenticated request to a URL - then carefully check the requests and responses to make sure it really is working for you.

Cheers,

Simon