Validating ZAP CLI-Based Login and Scan Setup

[Naveen Rudrappa]

Hi Team,

I’m exploring the possibility of recording the login flow and using it via CLI as part of the web application scanning process.

For this, I’ve used the dummy site http://demo.testfire.net. The login flow was recorded using the ZAP browser-based recorder (link), and the resulting .zst file is attached.

I then followed the guidance from this documentation to configure the authentication context using the recorded script.

To initiate the scan, I’m using the following Docker command:

docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap.sh -cmd -autorun /zap/wrk/zap.yaml 

Could you please confirm if I’m on the right track with this approach?

Thanks,

Naveen.R

[Simon Bennetts]

Have you seen https://www.zaproxy.org/docs/testapps/altoroj/ :) 

I strongly recommend testing and debugging auth setup in the ZAP desktop, you will find it much easier to understand whats going on.

If for any reason you are not able to do this then see this report which will help you get auth diagnostics if/when things go wrong: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/

Cheers,

Simon