Does ZAP support multiple authentications strategy at the same time

302 views
Skip to first unread message

Matteo Orefice

unread,
Nov 3, 2021, 7:59:19 AM11/3/21
to OWASP ZAP User Group
Hi 

I would know if is it possible to setup multiple auth strategies at the same time, we have many staging sites which have basic HTTP auth + form based login to enter restricted area, so we should send HTTP basic auth and also have auth cookie session management active

We we launch spider for example we can only select a context that in turn has only one auth strategy

Thanks

Simon Bennetts

unread,
Nov 3, 2021, 9:13:59 AM11/3/21
to OWASP ZAP User Group
This is exactly why ZAP supports multiple contexts - so you can define things like different authentication with different parts of your app.
Having said that, you will still need to run the spider once for each context with the relevant users, ZAP wont be able to use different auth strategies for the same scan.
Supporting multiple contexts and auth strategies in one scan could be very tricky :/

Cheers,

Simon

Matteo Orefice

unread,
Nov 3, 2021, 10:19:38 AM11/3/21
to OWASP ZAP User Group
Hi Simon thanks for quick answer ! We guessed Using different strategies for same scan could be not feasible in ZAP  ....

Our client own many https staging site behinds a basic HTTP auth to hide them by search engine, and we cannot control this auth mechanic, moreover we need to test this environment because it cannot be duplicated on our local dev env. This is the only site we can test  cause it is surrounded by a big ecosystem of other modules/services

Exploring other ZAP options and plugin we found a solution : using the replacer plugin to force the Authorization header to pass the first auth layer

Thanks for clarifications , have a nice day

Simon Bennetts

unread,
Nov 3, 2021, 10:28:36 AM11/3/21
to OWASP ZAP User Group
No problem.

FYI you can also use the automation env vars instead of the replacer: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

Cheers,

Simon

Matteo Orefice

unread,
Nov 4, 2021, 6:58:17 AM11/4/21
to OWASP ZAP User Group
Ohhh very nice ! It was my fault to have not read the page before  Thanks Simon

Simon Bennetts

unread,
Nov 4, 2021, 7:00:59 AM11/4/21
to OWASP ZAP User Group
We should make this much more obvious - I dont think many people are aware of it :/
We're planning on writing a whole set of authentication docs but these things take time...

Matteo Orefice

unread,
Nov 4, 2021, 10:09:02 AM11/4/21
to OWASP ZAP User Group
Another doc ( helped me ) could be merged in https://docs.google.com/document/d/1ZwJoIORtS10gvgJBJ4zuEKoQEMJ8mcMT1TlXlbmTCn8

An not obvious fact was HTTP Basic auth need to fill the Context -> User section , I read many users asking where to put credentials

Bye

Reply all
Reply to author
Forward
0 new messages