Provide json post data in form based authentification

Question

ZAP provides a way to turn a login (POST) request into a logging pattern (through the "mark as ..." in context menu).

When the data is something like "user=toto&psswd=t@T°", it will translate it into

"user={%username%}&psswd={%password%}"

after you told it about the keywords user and psswd.

But when your data is a json object such as {"user":"toto","psswd":"t@T°"}, and even though the content-type of the original request specifies it, ZAP will be unable to detect what keyword can be used, and will propose {"user":"toto","psswd":"t@T°"} as both username and password keyword... thus preventing you from defining a correct login pattern.

Do you know of a tip to process through form-based authentication with ZAP?

Answer 1

Unfortunately at this time there is an outstanding feature request for handling authentication via a JSON Object: https://github.com/zaproxy/zaproxy/issues/2439

One alternative is to record a scripted authentication.

---

Update:

The previously discussed functionality is now available: https://github.com/zaproxy/zaproxy/pull/4624

If you want to use it, you'll either have to use a weekly: https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly

Or, wait for the next full release (likely 2.8.0).

The corresponding PR to update the help content for the new JSON Authentication functionality is here: https://github.com/zaproxy/zap-core-help/pull/188/files if you want to check it out.

You set it up the same way you would for form based authentication. Make sure you define a Logged-in or Logged-out Identifier (or both). Here's some screenshots to help you along:

Manually configure the Authentication for your Context:

Use the Site Tree Context menu(s) to set it up:

Here's an additional help link that might assist you in getting authentication setup: https://github.com/zaproxy/zaproxy/wiki/FAQformauth