本文介绍如何将浏览器代理设置为ZAP工具,以便在扫描网站时通过ZAP传递认证信息。首先在Firefox中配置手动代理,设置ZAP主机地址和端口。登录应用程序后,在ZAP的站点选项卡中将其包含到默认上下文,并激活HTTP会话。这使得可以使用已登录的会话执行ZAP爬虫和主动扫描。若应用使用其他认证方式,请提供更多信息。
How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
解决方案
Quite old question but here it goes.
The most simple way to do this is setting your browser to Proxy through ZAP.
On Firefox you can go to:
Options -> Advanced -> Network -> Settings.
Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.
You can check and configure ZAP port opening ZAP and accessing:
Tools -> Options -> Local Proxy.
Then open your web browser and login to your application.
Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:
Include in Context -> Default Context
Now open the HTTP Sessions tab right click on the session and "Set as Active".
(HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)
Now you can perform ZAP Spider, Active Scan and so with an logged in session.
If this is not your scenario, please provide more info about which authentication method your application is using.
Hope it still helps you or someone searching for similar questions.
Thanks,
374
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
