When using the automated scan option with OWASP Zap, you supply the URL to attack. This will spider and attack the provided URL, based on selected options.
But, this is often the login page. Given known credentials, how do I log in and then continue scanning (preferably, either by a one-click to Automated Scan button or via command line Full scan)?
I found the official docs to be the most helpful:
- Set up a context for the web application
- Set up the session management method to Cookie-based Session Management
- Make sure your browser proxies everything through ZAP and log into your application using the browser
- Go to ZAP and identify the request that was done for the login (most usually it’s a HTTP POST request containing the username and the password and possibly other elements)
- If there is an anti-CSRF token in the login request, add the token name in Options Anti CSRF screen, if not present.
- Set up the authentication method:
- Right click on the authentication request and ‘Flag as Context… Form-based Auth Login Request’
- A window will be opened already containing the request URL and the parameters (if any). Use the dropdown options to select which of the parameters correspond to the username and to the password
- Set up the authentication verification strategy:
- Select a message which has a suitable logged in or logged out indicator e.g. a logout link or a welcome message
- Select the relevant text, right click on it and select either ‘Flag as Context… Authentication Logged-in Indicator’ or ‘Flag as Context… Authentication Logged-out Indicator’ as appropriate
- Define as many users as you need in the Session Properties -> Users section.