Adding authentication in ZAP tool to attack a URL
How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
Answer
Quite old question but here it goes.
The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to:
Options -> Advanced -> Network -> Settings.
Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.
You can check and configure ZAP port opening ZAP and accessing:
Tools -> Options -> Local Proxy.
Then open your web browser and login to your application. Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:
Include in Context -> Default Context
Now open the HTTP Sessions tab right click on the session and "Set as Active". (HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)
Now you can perform ZAP Spider, Active Scan and so with an logged in session. If this is not your scenario, please provide more info about which authentication method your application is using.
Hope it still helps you or someone searching for similar questions. Thanks,