Attack a URL from OWASP ZAP HUD while already in an authenticated session

Question

I understand that this question already discusses how to add authentication to ZAP to attack a URL. There are some excellent answers to this question. However, my context is a bit different.

Let's say that I am already inside an authenticated webpage in ZAP HUD as shown below. I have activated HUD by clicking the Firefox button inside ZAP. Then, I have logged in to some protected site in the browser.

While logged in, I want to run AJAX Spider (and other attacks) in my current context (logged-in). That means while I am inside the site as an authenticated user.

From intuition, I tried activating Ajax Spider by clicking the button at the right of HUD. But it appears that all the attacks are starting from outside the site, using the login window with random username and passwords, not in my logged-in condition.

Please tell me how can I attack (scan) the site in HUD while I am logged in.

Or is there anything I may be missing?

score 2 · Answer 1 · answered Apr 06 '21 at 08:36

2

You would need to configure ZAP to understand how to authentice to your application. That is non trivial and cannot be done just via the HUD, you would need to use the ZAP Desktop. We have a load of videos showing how to set up authentication with ZAP linked of fhttps://www.zaproxy.org/videos/

answered Apr 06 '21 at 08:36

Simon Bennetts

5,479
1
14
26

1

Thanks, I already figured this out watching the videos. And most of them are from you. :-) – Masroor Apr 06 '21 at 13:04

Attack a URL from OWASP ZAP HUD while already in an authenticated session

1 Answers1