Testing ZAP authentication handling against a range of test and real world applications.
Columns:
- Type:
- stdbba: Standard Browser Based Authentication, just the login URL and credentials, no additional configuration
- bbaplus: Browser Based Authentication with some additional configuration
- csa: Client Script Authentication, using a client side Zest script to authenticate
- Auth: Did ZAP succeed in authentication to this site? This is the key column
- Username: Did ZAP find the username field? Only applicable to Browser Based Auth
- Password: Did ZAP find the password field? Only applicable to Browser Based Auth
- Session Mgmt: Did ZAP identify the session management method?
- Verification: Did ZAP identify a suitable verification URL?
| Site | Type | Auth | Username | Password | Session Mgmt | Verification | Note |
|---|---|---|---|---|---|---|---|
| http://aspnet.testsparker.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://authenticationtest.com/complexAuth/ | bbaplus | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://authenticationtest.com/complexAuth/ | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ❌ |
|
| https://authenticationtest.com/simpleFormAuth/ | bbaplus | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://authenticationtest.com/simpleFormAuth/ | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ❌ |
|
| https://bsky.app | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
BBA is failing verification detection. |
| https://ctflearn.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://defendtheweb.net | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://ginandjuice.shop | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://hack-yourself-first.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://infosec.exchange | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ✓ |
|
| https://www.instagram.com | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ❌ |
BBA is failing due to popups. |
| https://www.linkedin.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://bugzilla.mozilla.org | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| http://php.testsparker.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://www.reddit.com | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ✓ |
|
| http://testasp.vulnweb.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| http://testfire.net | bbaplus | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
CSA is failing due to use of autodetect. |
| http://testfire.net | csa | ✓ Passed | — | — | ✓ | ✓ |
CSA is failing due to use of autodetect. |
| http://testfire.net | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
CSA is failing due to use of autodetect. |
| http://testhtml5.vulnweb.com | stdbba | ❌ Failed | ✓ | ✓ | ❌ | ✓ |
|
| http://testphp.vulnweb.com | stdbba | ✓ Passed | ✓ | ✓ | ✓ | ✓ |
|
| https://en.wikipedia.org | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ✓ |
|
| https://zoom.us | stdbba | ❌ Failed | ✓ | ✓ | ✓ | ❌ |
BBA is failing due to popups. |
Configuration
| Config | Details |
|---|---|
| Frequency | Daily & On-demand |
| Scripts | https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/auth/ |
| Action | https://github.com/zapbot/zap-mgmt-scripts/blob/master/.github/workflows/auth-tests.yml |
Settings
The latest Nightly ZAP Docker image is run with the default settings against these apps with no exceptions.