ZAP CLI auth based scan

[Dimension Guy]

Hi Team,

I'm trying to find a way to run zap.sh in daemon mod to run auth scan on http://testphp.vulnweb.com/login.php. What I mean by that is, 

1) I want to tell the zap that go to this endpoint 

2) Add username and password as test and test 

3) And run capture that post request and audit it

Is there a way to do that?. I don't want to use selenium or playwright scritps to proxy that data. Is there a way zap.sh can do it? 

Note: No zap UI.

Thanks

[Simon Bennetts]

Yes, ZAP can do that.

The recommended ways to automate ZAP are listed on https://www.zaproxy.org/docs/automate/

In this case I'd recommend using the Automation Framework (AF).

You can configure an AF plan in the ZAP decktop (where its easier to see whats going on) and then export an AF plan which you can run from the command line.

Right now setting up authentication is more complicated that we would like - you need to understand how it works and configure ZAP to handle it.

See https://www.zaproxy.org/docs/authentication/

We are working towards getting ZAP to automatically configure itself to handle authentication: https://www.zaproxy.org/blog/2023-01-19-authentication-help/

Cheers,

Simon