This guide shows you how to authenticate with OWASP ZAP using a script, allowing it to scan protected areas of your web application. We\u2019ll cover setting up the script and testing it.<\/p>\n
Open Your Script: In ZAP, go to Tools > Options<\/em>. The core of authentication lies in the script itself. Here\u2019s an example using JavaScript to handle basic HTTP authentication:<\/p>\n function scan(helper, ctx) { Explanation:<\/p>\n scan(helper, ctx): This function is called for each request ZAP intercepts. You need a way for ZAP to obtain the authentication token (username\/password). Here\u2019s how you can implement that:<\/p>\n function getAuthenticationToken() { if (!username || !password) { ctx.setOption(“authentication.username”, username); \/\/ Encode the credentials in Base64. Explanation:<\/p>\n ctx.getOption(“authentication.username”) and ctx.getOption(“authentication.password”): Attempts to retrieve cached credentials from ZAP\u2019s options. Add the getAuthenticationToken() function to your script *before* the scan() function.<\/p>\n Save Your Script: Save the changes to your authentication script. Incorrect URL: Double-check that the URL condition in your script (startsWith()) is correct. The post ZAP Script Authentication: A Step-by-Step Guide<\/a> appeared first on Blog | G5 Cyber Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" TL;DR This guide shows you how to authenticate with OWASP ZAP using a script, allowing it to scan protected areas of your web application. We\u2019ll cover setting up the script and testing it. Setting Up Authentication in ZAP Open Your Script: In ZAP, go to Tools > Options. Navigate to Scripts: Select the \u2018Scripts\u2019 tab. […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-6409","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6409"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6409"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6409\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nNavigate to Scripts: Select the \u2018Scripts\u2019 tab.
\nAdd a New Script: Click \u2018Add\u2019. Give your script a meaningful name (e.g., \u2018MyAuthenticationScript\u2019). Choose a suitable language (JavaScript is common).<\/p>\nWriting the Authentication Script<\/h2>\n
\n var request = helper.request;
\n \/\/ Check if the request needs authentication (e.g., by URL)
\n if (request.getURL().toString().startsWith(“https:\/\/your-protected-app\/admin\/”)) {
\n \/\/ Add Authentication Header
\n request.addHeader(“Authorization”, “Basic ” + helper.getAuthenticationToken());
\n }
\n}<\/p>\n
\nhelper.request: Provides access to the current HTTP request object.
\nrequest.getURL().toString(): Gets the URL of the request as a string.
\nstartsWith(“https:\/\/your-protected-app\/admin\/”): Checks if the URL starts with your protected application\u2019s admin path. Replace this with your actual URL!<\/em>
\nrequest.addHeader(“Authorization”, “Basic ” + helper.getAuthenticationToken()): Adds an \u2018Authorization\u2019 header to the request, including a basic authentication token. The helper.getAuthenticationToken() function is crucial; we\u2019ll define this next.<\/p>\nGetting the Authentication Token<\/h2>\n
\n \/\/ Prompt user for credentials if not already cached.
\n var username = ctx.getOption(“authentication.username”);
\n var password = ctx.getOption(“authentication.password”);<\/p>\n
\n var dialog = new Dialog();
\n dialog.setTitle(“Authentication Required”);
\n dialog.setPromptText(“Username:”, username);
\n dialog.setPromptText(“Password:”, password);
\n dialog.showDialog();
\n username = dialog.getValue(“Username”);
\n password = dialog.getValue(“Password”);<\/p>\n
\n ctx.setOption(“authentication.password”, password);
\n }<\/p>\n
\n var encodedCredentials = btoa(username + ‘:’ + password);
\n return encodedCredentials;
\n}<\/p>\n
\nThe if (!username || !password) block prompts the user for credentials if they aren\u2019t already stored.
\nbtoa(username + ‘:’ + password): Encodes the username and password in Base64, which is required for Basic Authentication.<\/p>\nAdding the Token Function to Your Script<\/h2>\n
Testing the Script<\/h2>\n
\nEnable the Script: In ZAP, ensure the script is enabled (checkbox ticked in the Scripts tab).
\nBrowse Your Application: Start browsing your protected application. ZAP will intercept requests and apply the authentication header if it matches your URL condition.
\nCheck the History Tab: Verify that the \u2018Authorization\u2019 header is being added to requests targeting your protected areas in ZAP\u2019s History tab. Select a request, then look at the \u2018Request\u2019 tab. You should see the header present.<\/p>\nTroubleshooting<\/h2>\n
\nBase64 Encoding: Ensure the username and password are correctly encoded in Base64.
\nAuthentication Type: This example uses Basic Authentication. Adjust the script if your application uses a different authentication method (e.g., API keys, OAuth).<\/p>\n