Recorded Login Session and replay with ZAP

[Sec Guy]

Hello Team, 

I am wondering if ZAP can support the recorded login session and replay it during an active scan, similar to what AppScan does https://help.hcl-software.com/appscan/ADAC/9.0.3/en-US/t_RecordedLogin025.html

I am trying to do security scan automation for different set of applications that use different login mechanisms (e.g. username/password, key/secret, certificates etc) thus, It is helpful to just record the login sequence and replay during active scans by ZAP. 

Any pointers in getting this security scan automation working will be helpful. 

Thank you

Regards

Sec Guy

[Simon Bennetts]

Hi Sec Guy,

Yes it can!

We've been making a _lot_ of improvements in ZAP's handling of authentication and unfortunately the docs havnt kept up.

We'll do our best to post some updates soon.

In the meantime I'll give a quick summary of what you'll need to do here - please ask if anything is unclear.

First you'll need to record the client side script as per: https://www.zaproxy.org/docs/desktop/addons/client-side-integration/record/

You will then need to configure Client Script Authentication with that script: https://www.zaproxy.org/docs/desktop/addons/authentication-helper/client-script/

I also recommend trying Browser Based Auth https://www.zaproxy.org/docs/desktop/addons/authentication-helper/browser-auth/ as this will handle a range of authentication screens automatically.

Cheers,

Simon