zap scan authentication with AAD

[Beer Mohamed]

Hi 

Our webapplication is configured with Azure AD login, I am using zap cli(zap.sh) to scan our application, application which does not need authentication are scanning and report got generated but few requires authentication which return 401, 

I tried to create context and make use of it in UI but still same 401 issue.

Also doc does not provide clear point in direction or example about authentication..

Could someone help on this

Thanks

[Simon Bennetts]

Hiya,

If your app is protected by Azure AD login then ZAP will have to be configured to handle it, unless your authentication is completely broken ;)

We have docs for authentication but you will see they are still WIP: https://www.zaproxy.org/docs/authentication/

However the first page: "How to make your life easier" is _very_ relevant (ie run your app without SSO if you can).

If you cant disable SSO then you will have to find or implement some ZAP authentications scripts to handle it. Unfortunately I'm not aware of any that are publicly available.

FYI the ZAP CLI is a 3rd party project and not maintained by the ZAP Core Team.

The recommended ways of automating ZAP are listed here: https://www.zaproxy.org/docs/automate/

Cheers,

Simon