Authentication Methods

Authentication Methods are the means by which ZAP actually authenticates to a web app.

The following methods are supported:

Manual Authentication

This is the default method, and means that you are handling authentication yourself.

Auto Detect

Auto-Detect Authentication indicates that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.

Browser Based Authentication

Browser Based Authentication works in the browser and will attempt to fill in the correct credentials for the specified user.

This is often the most effective option, especially for modern apps which you need to explore using the Ajax Spider.

Browser Based Authentication can be configured with manual authentication steps. These can handle any number of forms and fields, as well as TOTP.

Client Script Authentication

Client Script Authentication works in the browser and runs the configured client side Zest script, which will typically have been recorded in a browser.

This is a good option for modern apps which have a more complex authentication flow than can be handled by Browser Based Authentication.

HTTP / NTLM Authentication

This method handles both HTTP and NTLM authentication. You will need to supply the hostname, port and realm.

Form-based Authentication

⚠️ Warning

This is no longer recommended as it is not effective for modern apps.

Form-based Authentication handles traditional HTML FORMs with user and password fields which are submitted using a standard HTTP GET or POST.

JSON-based Authentication

⚠️ Warning

This is no longer recommended as it is not effective for modern apps.

JSON-based Authentication handles form-based authentication where the user and password fields are submitted as a JSON object using an HTTP POST.

Script-based Authentication

‼️ Caution

This option gives you complete control, but it is hard to get right, and so only recommended as a last resort.

Script-based Authentication allows you to use a script which will give you complete control over the authentication process.

For examples see the authentication directory in the Community Scripts repo.

Previous Next Verification Strategies (coming soon)