ClientSpider & client Authentication via Zest

[MERIEM MELLOUS]

Hello ,  I noticed that when launching the following AF, the spider does consider my authentication Zest script  but when it comes to clientSpider it doesn't authenticate. I made sure that my authentication config in the env is "client" authentication as I saw in the documentation that normally this way the clientSpider or the AjaxSpider are supposed to automatically consider authentication script.

I used the Zap browser extension to record my authentication script.

 I do enable httpSender first so that I get the accesstoken from a specific response and then declare it as a script global var "myvar" .

env:

parameters:

failOnError: true

failOnWarning: false

progressToStdout: true

contexts:

- name: mycontext

urls:

- https://test_url.com

includePaths:

- https://test_url.com.*

- https://my_api.*

excludePaths:

- https://www.google.com.*

authentication:

method: "client"

parameters:

script: /path/to/authentication.zst # String, the path to the Zest login script

scriptEngine: Mozilla Zest # The script engine used for the login script

diagnostics: true # Bool, enables the recording of diagnostic data during the authentication. Default: false.

minWaitFor: 5000 # Int, sets the minimum waitFor time in seconds to wait for each client statement, default: 0

verification:

method: poll

loggedOutRegex: HTTP/1.1 401

loggedInRegex: 200 OK

pollFrequency: 100

pollUrl: https://test_url.com/me

pollUnits: requests

sessionManagement:

method: headers

parameters:

Cookie: session_id={%script:myvar%}

users:

- name: 'myUser'

credentials:

username: 'myUser'

password: mypassword

proxy:

hostname: my_proxy_host

port: my_proxy_port

jobs:

- type: activeScan-config

parameters:

maxRuleDurationInMins: 0

maxScanDurationInMins: 0

maxAlertsPerRule: 0

handleAntiCSRFTokens: true

injectPluginIdInHeader: true

threadPerHost: 12

inputVectors:

urlQueryStringAndDataDrivenNodes:

odata: true

enabled: true

postData:

multiPartFormData: true

enabled: true

xml: true

directWebRemoting: true

json:

scanNullValues: true

enabled: true

googleWebToolkit: true

urlPath: true

httpHeaders:

allRequests: true

enabled: true

cookieData:

enabled: true

encodeCookieValues: true

scripts: true

- type: script

parameters:

action: add

type: httpsender

engine: Graal.js

name: httpsender

source: path/to/httpSender.js

- type: script

parameters:

action: enable

type: httpsender

engine: Graal.js

name: httpsender

- type: script

parameters:

action: add

type: authentication

engine: Mozilla Zest

name: authentication

source: /path/to/authentication.zst

- type: spider

name: spider

parameters:

context: mycontext

user: 'myUser'

url: https://test_url.com

maxDuration: 0

maxDepth: 0

maxChildren: 0

acceptCookies: false

handleODataParametersVisited: false

handleParameters: IGNORE_COMPLETELY

maxParseSizeBytes: 3000

parseComments: true

parseGit: true

parseRobotsTxt: true

parseSitemapXml: true

parseSVNEntries: true

parseDsStore: true

postForm: true

processForm: true

- type: spiderClient

parameters:

context: mycontext

user: 'myUser'

url: https://test_url.com

maxDuration: 300

maxCrawlDepth: 10

maxChildren: 50

numberOfBrowsers: 2

browserId: chrome

scopeCheck: Flexible

pageLoadTime: 5000

- parameters:

maxDuration: 0

type: passiveScan-wait

- name: activeScan

type: activeScan

parameters:

context: mycontext

policy: Default Policy

user: 'myUser'

maxRuleDurationInMins: 0

maxScanDurationInMins: 0

threadPerHost: 12

handleAntiCSRFTokens: true

injectPluginIdInHeader: true

scanHeadersAllRequests: true

policyDefinition:

defaultStrength: MEDIUM

defaultThreshold: MEDIUM

- type: report

name: report-traditional-pdf

parameters:

reportFile: report.pdf

reportDescription: This report contains the results of a vulnerability scan for

the application:https://test_url.com

reportTitle: ZAP scan report

reportDir: path/to/report

displayReport: false

template: traditional-pdf

risks:

- info

- low

- medium

- high

confidences:

- low

- medium

- high

- confirmed

sections:

- alertcount

- instancecount

- alertdetails

Can you help me figure out what went wrong please ? I can't seem to understand why the clientSpider is not authenticating.

Thank you !

[thc202]

Hi,

Can you share the zap.log? I tried that plan (with dummy scripts/target)
and the client auth was being performed on the client spider.

Best regards.

On 17/04/2026 15:43, 'MERIEM MELLOUS' via ZAP User Group wrote:
> Hello , I noticed that when launching the following AF, the *spider does

> consider my authentication Zest script but when it comes to clientSpider

> it doesn't authenticate*. I made sure that my authentication *config in the
> env is "client" authentication* as I saw in the documentation that normally

[THOMAS CROGUENNEC]

Hello,

I work with @Meriem. @thc202, I agree that the client auth works well but the problem is similar to this thread (https://groups.google.com/g/zaproxy-users/c/nn9nZ40yyIg/m/33smKLKoBQAJ). The auth is successfully done but the session management does not work as we expect. We store the token in a global script var at the end of the authentication script but when the client spider crawls, it does it unauthenticated.

Regards,

---

Ce message et toutes les pièces jointes (ci-après le "message") sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message étant susceptible d'altération, l'émetteur décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. 

This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified.