Download
  1. Documentation
  2. The ZAP by Checkmarx Desktop User Guide
  3. Add-ons
  4. Authentication Helper
  5. Client Script Authentication

Client Script Authentication

This add-on adds a new authentication type which uses a browser to login to the target website.

This functionality leverages Zest scripts (which may have been recorded via the ZAP Browser Extension) to login.

Automation Framework

Client Script Authentication can be configured in the environment section of an Automation Framework plan using:

      authentication:
        method: "client"
        parameters:
          script: /path/to/RecordedAuth.zst  # String, the path to the Zest login script
          scriptEngine: Mozilla Zest         # The script engine used for the login script

Client Spider and AJAX Spider Integration

The Client or AJAX Spider will automatically login if a user is specified which is in a context that uses Client Script Authentication.

Note that this uses the Selenium integration detailed below, so any browsers launched manually will also be logged in if the Client or AJAX spider is performing an authenticated scan using Client Script Authentication.

Selenium Integration

Any browsers launched by ZAP can be configured to always first login using the details configured in a context. Note that due to restrictions in the core:

  • Existing contexts are not updated in the GUI if you add or remove this add-on
  • Client Script Authentication cannot be added to a context via the API

These restrictions will be addressed in a future release.

Latest code: ClientScriptBasedAuthenticationMethodType.java