Question Regarding Access Control Scan – 302 Redirect Instead of 403

40 views
Skip to first unread message

Hiển Vũ Ngọc

unread,
Jul 2, 2025, 5:50:02 AM7/2/25
to ZAP User Group
 Hi all.
  I hope this message finds you well.  
I'm new to zapproxy (2.16.1). 

I'm currently using the Access Control Testing add-on in OWASP ZAP, and I have a question regarding the expected behavior of HTTP responses during access rule validation.

In my test setup, I’ve configured certain routes to be denied for specific roles (e.g., student). However, when scanning, the application returns a 302 redirect instead of a 403 Forbidden, even though the route is effectively inaccessible. This causes some confusion in interpreting the results.

I would like to ask:

  1. Does the Access Control Testing add-on treat a 302 redirect as a valid “denied” response, or should the application explicitly return a 403 status code for denied access to be correctly identified?

  2. In cases where the user is technically not authorized to access a page, but the server returns a redirect (e.g., to a login or home page), how does ZAP interpret that behavior during rule evaluation?

  3. Is there a way to configure ZAP to recognize certain redirects as “access denied” conditions (e.g., by analyzing the Location header or response body)?

Any clarification or guidance on how to properly configure this behavior would be greatly appreciated.

Thank you very much for your support.

Best regards,

Simon Bennetts

unread,
Jul 7, 2025, 1:06:53 PM7/7/25
to ZAP User Group
Hiya,

I must admit that I have not looked at this add-on for a long time.
It looks like the last significant changes were made in 2018.


You could try configureing a custom auth issue page? https://www.zaproxy.org/docs/desktop/start/features/custompages/

Cheers,

Simon

kingthorin+zap

unread,
Jul 8, 2025, 11:12:11 AM7/8/25
to ZAP User Group
If I recall correctly it actually uses the login status not purely status codes etc.
Reply all
Reply to author
Forward
0 new messages