Automation Framework -authentication failures

68 views
Skip to first unread message

Anjo P Joseph

unread,
Jun 27, 2025, 3:16:28 AM6/27/25
to ZAP User Group

Hi ZAP community,

I'm currently learning the ZAP Automation Framework and working with the test site http://testfire.net/login.jsp. I'm a beginner, so I'd really appreciate some guidance!

Here’s what I’ve done so far:

✅ Authentication Setup

  • I'm using the Tools-->Authentication Tester in ZAP.

  • I set the login URL to: http://testfire.net/login.jsp

  • I provide admin credentials and launch Firefox for the test.

  • The login works correctly — Firefox opens, logs in, and I can see it reaches the authenticated page.

  • ZAP automatically creates a context with authentication and sets session management to Header-based — but both the header name and value fields are empty.

⚙️ Automation Framework Configuration

  • I added requestor job to automation framework in the gui

  • I set the request URL to http://testfire.net/bank/main.jsp, which I copied from the url to poll verification field from  Authentication Tester context

  • I also set the same context and selected the authenticated user in the job.

  • When I run this automation:

    • The requestor job works ✅ — I see a 200 OK response in the history tab with content similar to the authenticated page.

⚠️ Problem with AJAX Spider

  • I added new job AJAX Spider  the same automation framework

  • I used the same context and user as above.

  • When I run the automation:

    • The AJAX Spider runs for over 20 minutes and doesn’t seem to stop.

    • I don’t see any new requests or activity in the history tab, nothing generated after requestor job finishes

❓ Questions

  1. How can I stop the AJAX spider when it gets stuck like this?

  2. Where can I view logs or debug information related to the AJAX spider or authentication?

  3. Is the session management method set to "Header-based" (with empty header key and value) likely causing the authentication to fail during automation?

  4. If authentication worked during the Authentication Tester, why does the AJAX spider not seem to be logged in?

  5. What’s the best way to confirm that the automation framework is truly authenticated during AJAX/Spider scans?

Any help would be greatly appreciated — especially examples or suggestions on how to fix or properly configure this!

Thanks so much in advance! 
Anjo

Simon Bennetts

unread,
Jul 1, 2025, 11:02:56 AM7/1/25
to ZAP User Group
Hi Anjo,

We have a set of pages which exaplain exactly how to set up ZAP to scan the most common vulnerable apps, and there is one for Testfire :D
FYI The AJAX Spider does not put it's requests in the History tab. It has its own tab, but unfortunately that only works if you start the spider from the GUI, not via the API our Automation Framework.
The best way to check that ZAP is sending authenticated requests (via ny of its tools) it to make sure yoiu have the verification set up correctly and then to use the stats.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages