ZAP Authentication Guide

127 views
Skip to first unread message

Simon Bennetts

unread,
Apr 11, 2024, 12:35:50 PMApr 11
to ZAP User Group
We have an all new ZAP Authentication Guide: https://www.zaproxy.org/docs/authentication/

If you ask any general authentication questions here then you will be directed to this guide :)

If it doesnt help you then let us know exactly what happened when you followed it, otherwise we'll just ask you for those details and it will take you longer to get any useful feedback.

Also, let us know if anything in the guide is confusing or could be improved in any way.

Many thanks,

Simon

M S

unread,
Apr 11, 2024, 3:41:23 PMApr 11
to ZAP User Group
OMG Simon Thank you, thank you , thank you!!!!
This guide saved me!

I have a salesforce app and I tried to authenticate for 2 days with no success. Following the Guide steps I almost managed.  
I had all green bulbs in authentication tester tool so I followed all guide steps.

The automation managed to login (I saw it in a browser)  and in output tab the final message is Authentication successful.

I just have one message in automation output that worries me:

Difference in response code values for message POST https://example/s/sfsites/aura?r=1&aura.ApexAction.execute=1 Expected : 200 Received : 411
and in History Tab the last request response is: 
<HTML><HEAD>
<TITLE>Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Reference&#32;&#35;7&#46;ac645e68&#46;1712863173&#46;22cf7763
<P>https&#58;&#47;&#47;errors&#46;edgesuite&#46;net&#47;7&#46;ac645e68&#46;1712863173&#46;22cf7763</P>
</BODY>
</HTML>


I feel like I'm really close

M S

unread,
Apr 12, 2024, 3:20:27 AMApr 12
to ZAP User Group
In Authentication guide 
Action: Test the Context
Action: Configure and Run the Plan
  1. Add a suitable URL - this should be in scope
It this Login URL (the same I provided in Authentication Tester)  or  actual  POST request to authenticate user?

M S

unread,
Apr 12, 2024, 4:25:43 AMApr 12
to ZAP User Group
Is it possible that Authentication Tester shows all green lights but in fact ZAP can't verify authenticated user?
Here is diagnostic from Auth Tester.  
Any help will be appreciated 

diagnostics.json

Simon Bennetts

unread,
Apr 15, 2024, 4:36:47 AMApr 15
to ZAP User Group
Anser below..

On Friday 12 April 2024 at 08:20:27 UTC+1 stru...@gmail.com wrote:
In Authentication guide 
Action: Test the Context
Action: Configure and Run the Plan
  1. Add a suitable URL - this should be in scope
It this Login URL (the same I provided in Authentication Tester)  or  actual  POST request to authenticate user?

Neither :)
We need to supply a URL to ZAP that will cause it to login.
Say you have a site:
Which has a login URL of
And the login form POSTs to
as the "suitable URL that is in scope".
I'll look at trying to make this clearer in the guide.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages