7

I am using Basic HTTP Authentication to log into my Web Application. The credentials are Base64 encoded and sent to the Server. OWASP ZAP Proxy is intercepting the request and I can see the Authorization header included in my HTTP request. I want to include the authentication details in scan properties ahead of the scan. Please let me know how to do it in OWASP ZAP.

This link may help in answering my question.

Anders
  • 64,406
  • 24
  • 178
  • 215
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26

1 Answers1

4

You need to add your app to a Context and then set up HTTP Authentication for it: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication#httpntlm-authentication

Simon Bennetts
  • 1,390
  • 7
  • 10
  • When I right click and go to "Flag as Context", I got option for "Default Context: Form-based Auth Login Request". I switch it to "HTTP/NTLM Authentication" and provide Hostname, Port, Realm and Regex Pattern for logged in and logged out response messages. What I am not able to understand is that where does the ZAP keeps/shows the credentials? – Krishna Pandey Nov 04 '15 at 10:42
  • 1
    ZAP stores the credentials in its session, which is an HSQLDB database. If you persist that session and reload it at a later date then it will still have the credentials. You can also export and import Contexts, which will also include the credentials, but wont include all of the history and issues from the session - these are just config files. – Simon Bennetts Nov 10 '15 at 10:42