Enabling forced user mode during an automated scan

[Suren Manukyan]

What would be the best way to enable forced user mode when using the automation framework? 

The way im doing it currently is to have a delay job running and then enabling it from the gui by first opening the generated context, clicking ok ( otherwise the gui doesnt recognize that there is a forced user configured and greys out the "forced user mode enable" button) and then clicking on the button to enable the mode. While this is a workaround that i can do for some time, it wont work for when I want to run zap fully headless.

[Simon Bennetts]

Can you explain why you want to use forced user mode in automation?

This option is really only intended for manual testing - I would not recommend it for automation.

To learn more about how ZAP can handle authentication see https://www.zaproxy.org/docs/authentication/

Cheers,

Simon

[Suren Manukyan]

During the automation task, when I import an openapi definition, ZAP doesn't by default authenticate the requests it sends when parsing the definition, hence gets wrong/unauthenticated responses.

The only way I found to authenticate requests that the openapi parser does is to use the forced user mode.  

[Simon Bennetts]

OK, so thats a good answer :)

But I dont think the solution is to support forced user mode in the Automation Framework.

I think a much better option is for the openapi job (and other related ones) to support authentication via the 'user' and 'context' fields.

I'll see what we can do about that...

Cheers,

Simon

[Suren Manukyan]

I can try and work on that feature. Would you like me to open an issue on github?

[Ed Holzwarth]

Hello, 

I am trying to do the same thing, is there a solution?

Thanks,

Ed

[thc...@gmail.com]

As workaround you could enable forced user mode using a script, or set
the user into the messages being sent (which would have the same effect).

For the record the issue is:
https://github.com/zaproxy/zaproxy/issues/7739

Best regards.