Authentication Methods are the means by which ZAP actually authenticates to a web app.
The following methods are supported:
Manual Authentication
This is the default method, and means that you are handling authentication yourself.
Auto Detect
Auto-Detect Authentication indicates that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.
Browser Based Authentication
Browser Based Authentication works in the browser and will attempt to fill in the correct credentials for the specified user.
This is often the most effective option, especially for modern apps which you need to explore using the Ajax Spider.
Browser Based Authentication can be configured with manual authentication steps. These can handle any number of forms and fields, as well as TOTP.
Client Script Authentication
Client Script Authentication works in the browser and runs the configured client side Zest script, which will typically have been recorded in a browser.
This is a good option for modern apps which have a more complex authentication flow than can be handled by Browser Based Authentication.
HTTP / NTLM Authentication
This method handles both HTTP and NTLM authentication. You will need to supply the hostname, port and realm.
Form-based Authentication
⚠️ Warning
This is no longer recommended as it is not effective for modern apps.
Form-based Authentication handles traditional HTML FORMs with user and password fields which are submitted using a standard HTTP GET or POST.
JSON-based Authentication
⚠️ Warning
This is no longer recommended as it is not effective for modern apps.
JSON-based Authentication handles form-based authentication where the user and password fields are submitted as a JSON object using an HTTP POST.
Script-based Authentication
‼️ Caution
This option gives you complete control, but it is hard to get right, and so only recommended as a last resort.
Script-based Authentication allows you to use a script which will give you complete control over the authentication process.
For examples see the authentication directory in the Community Scripts repo.