1

I need to attack endpoints via OWASP ZAP tool (got 2.5.0 version). I tested endpoints via Postman. I`ve got Authorization with Type: Basic Auth, Username:exampleUserName, Password: examplePass.

Please could you give me any hints, how to set up Basic Auth in OWASP ZAP please?

I set up User for my Context. What esle is needed?

Found solution:

1) Control Panel -> Internet Options -> Connections ->LAN Settings -> check "Use a proxy for etc." -> click OK

2) Send request via Postman with Basic Auth

3) The endpoint is visible in OWASP ZAP tool, in Sites section

4) right click on endpoint, choose Atack action

Dominika
  • 235
  • 1
  • 4
  • 14

1 Answers1

3

We have a FAQ for that :) How can ZAP automatically authenticate via forms?

Copied here for reference:

Via the UI:

  1. Explore your app while you proxying through ZAP
  2. Login using a valid username and password
  3. Define a Context, e.g. by right-clicking the top node of your app in the Sites tab and selecting "Include in Context"
  4. Find the 'Login request' in the Sites or History tab
  5. Right click it and select "Flag as Context" / "Form-based Auth Login request"
  6. Check that the Username and Password parameters are set correctly - they almost certainly won't be!
  7. Find a string in a response which can be used to determine if the user is logged in or not
  8. Highlight this string, right click and select "Flag as Context" / "Logged in/out Indicator" as relevant - you only need to set one of these, not both
  9. Double-click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
  10. Navigate to the Context "Forced User" page and make sure the user you want to test is selected
  11. The "Forced User Mode disabled - click to enable" button should now be enabled
  12. Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, i.e. by using the 'logged in' or 'logged out' indicator.

If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all the above steps.

If you have enabled "forced user mode" and are still not logged in when you access your application then look at the requests in the History tab:

  • If there is no login request then you have probably not chosen a
    suitable "logged in/out" indicator, try changing it and trying again
  • If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests

If you need to make multiple requests to login then the best option is to record a Zest authentication script and to test this isolated first.

The FAQ also details how to set up authentication via the ZAP API.

Gander
  • 1,854
  • 1
  • 23
  • 30
Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26