问题
How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
回答1:
Quite old question but here it goes.
The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to:
Options -> Advanced -> Network -> Settings.
Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.
You can check and configure ZAP port opening ZAP and accessing:
Tools -> Options -> Local Proxy.
Then open your web browser and login to your application. Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:
Include in Context -> Default Context
Now open the HTTP Sessions tab right click on the session and "Set as Active". (HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)
Now you can perform ZAP Spider, Active Scan and so with an logged in session. If this is not your scenario, please provide more info about which authentication method your application is using.
Hope it still helps you or someone searching for similar questions. Thanks,
回答2:
Old question, old answer, but here is a good tutorial by one of the core developer of OWASP ZAP: https://www.youtube.com/watch?v=cR4gw-cPZOA
Quick answer: It depends on the method used for authentication. You can set the options in the Session Properties in the "Authentication" menu and you can also define different users in the "Users" menu.
来源:https://stackoverflow.com/questions/31516420/adding-authentication-in-zap-tool-to-attack-a-url