Form based authentication

[fg]

Hi,

I'm new to ZAP, and I want to use the form based Authentication method to scan my application. Unfortunately, the "Login Form Target URL" has an additional query String that is of the form : /account/login?id=UUID . Of course the UUID changes at each new authentication and is generated by an IdP server I'm redirected to when I want to authenticate in my application.

Is there a way to use regex in the "Login Form Target URL" so that ZAP uses the id=UUID coming from a previous request when it does the POST request ?

Thanks,

Frank

[Simon Bennetts]

Hi Frank,

Is the "id" parameter present in the login page?

Is so then you could flag that parameter an an Anti-CSRF token and as long as you specify the right page to GET then it should all work.

If its a little bit more involved than theat then I'm afraid you'll have to use scripting.

We have some example scripts here: https://github.com/zaproxy/community-scripts/tree/main/authentication

Also see the new authentication docs (which are WIP): https://www.zaproxy.org/docs/authentication/

Cheers,

Simon