Download
  1. Documentation
  2. The ZAP by Checkmarx Desktop User Guide
  3. Add-ons
  4. Authentication Helper
  5. Client Script Authentication

Client Script Authentication

This add-on adds a new authentication type which uses a browser to login to the target website.

This functionality leverages Zest scripts (which may have been recorded via the ZAP Browser Extension) to login.

Automation Framework

Client Script Authentication can be configured in the environment section of an Automation Framework plan using:

      authentication:
        method: "client"
        parameters:
          script: /path/to/RecordedAuth.zst  # String, the path to the Zest login script
          scriptInline:                      # String, the full script (may be multi-line) - supply this or 'script' not both
          scriptEngine: Mozilla Zest         # The script engine used for the login script
          diagnostics:                       # Bool, enables the recording of diagnostic data during the authentication. Default: false.
          loginPageWait:                     # Int, the time in seconds to wait after the script has run, default: 5
          minWaitFor:                        # Int, sets the minimum waitFor time in seconds to wait for each client statement, default: 0

Refer to the Authentication Report for more details on the diagnostics.

Zest client element statements include a “Wait For” parameter in milliseconds which is the time that Zest will wait for the relevant element to become accessible. If it becomes accessible before the “wait for” time then the script carries on and does not wait for the full time. The “minWaitFor” parameter above (in seconds) allows you to extend (but not shorten) the time the script will wait. This can be very useful if the target site sometimes runs slowly. Increasing the “minWaitFor” time will not impact the overall time as long as all of the elements do appear within the time limit. It can impact the overall time in failure cases, for example where the elements never appear.

Client Spider and AJAX Spider Integration

The Client or AJAX Spider will automatically login if a user is specified which is in a context that uses Client Script Authentication.

Note that this uses the Selenium integration detailed below, so any browsers launched manually will also be logged in if the Client or AJAX spider is performing an authenticated scan using Client Script Authentication.

Selenium Integration

Any browsers launched by ZAP can be configured to always first login using the details configured in a context.

Note that due to restrictions in the core:

  • Existing contexts are not updated in the GUI if you add or remove this add-on
  • Client Script Based Authentication cannot be added to a context via the API (unless used with ZAP 2.16.1 or later)

These restrictions will be addressed in a future release.

Latest code: ClientScriptBasedAuthenticationMethodType.java