How to autenticate a form in ZAP C#?

[Partha S S]

I tried using many videos and documentation and added authentication in context, still only login page displays all request are redirected to login page. Any C# example available for authenticating?

[Simon Bennetts]

The fact that the website is implemented in C# is irrelavent - the backend language doesnt matter, it could even be COBOL ;)

Start here - https://www.zaproxy.org/docs/authentication/ - its work-in-progress but you'll need to understand the basics.

Next, do you understand how session handling and authentication works in your app? I mean _really_ understand them, as in exactly what needs to be sent from the browser?

If not then thats the next thing to work on - if you dont understand how these things work then you will not be able to configure ZAP to handle them.

Cheers,

Simon

[Partha S S]

Thanks for replay. I have a automation framework(C# based) which is already integrated to ZAP( uses OWASPZAPDotNetAPI ). few app-portals are working for few authentication is failing. I wanted to know where I can check the logs which help me to debug issue.I am using script based authentication. I can see the script load is success.But in active scan it displays login page that the requested page.

[Simon Bennetts]

I strongly recommend using the ZAP desktop for debugging.

In theory you will be able to use the ZAP API for debugging but it will be _much_ more painful.

Have a look at this FAQ: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/ especially the Diagnosing Problems section.

The suggestions actually mostly apply to all forms of auth, not just form based.

We'll be rewriting these guidelines as part of the new auth docs.

Cheers,

Simon