OWASP ZAP, how to authenticate using Form-based Auth Login context and POST request

Question

I am currently trying to scan our web application with OWASP ZAP but I am facing an Issue which I can not seem to solve.

The problem is, that in order to scan the application I need to sign in, I followed multiple online tutorials and also documentation and I tried doing the following:

1. Create general context for the app entry point (the first GET request)
2. Flagging form based authentication (POST request) as Default Context : Form-based Auth Login Request
3. Openin URL in browser

However ZAP sends GET request instead of POST request, so our app returns 405 Method Not Allowed as for authentication POST request must be used instead of the used GET request.

How can I create a context to send POST authentication request to the application instead of GET?

I am trying to figure this out to later automate this by using the weekly-image in Docker with -c <exported_context_file> flag to scan our web application on regular basis.

Could you please suggest how to do this?

Thanks

Answer 1

ZAP definitely supports authentication via POST requests. Its very difficult to tell what you are doing wrong without full details of your configuration. If you are not already using the desktop for setting this up then do so - its much easier to see whats going on.

Have a look at this FAQ: https://www.zaproxy.org/faq/how-can-zap-automatically-authenticate-via-forms/ esp the Diagnosing Problems section.

If you still have problems then ask on the ZAP User Group: https://groups.google.com/g/zaproxy-users/