Authentication Methods are the means by which ZAP actually authenticates to a web app.
The following methods are supported:
Manual Authentication
This is the default method, and means that you are handling authentication yourself.
Auto Detect
Auto-Detect Authentication indicates that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.
Browser Based Authentication
Browser Based Authentication launches a browser which will attempt to fill in the correct credentials for the specified user.
This is often the most effective option, especially for modern apps which you need to explore using the Ajax Spider.
HTTP / NTLM Authentication
This method handles both HTTP and NTLM authentication. You will need to supply the hostname, port and realm.
Form-based Authentication
Form-based Authentication handles traditional HTML FORMs with user and password fields which are submitted using a standard HTTP GET or POST.
JSON-based Authentication
SON-based Authentication handles form-based authentication where the user and password fields are submitted as a JSON object using an HTTP POST.
Script-based Authentication
Script-based Authentication allows you to use a script which will give you complete control over the authentication process.
For examples see the authentication directory in the Community Scripts repo.