在ZAP工具中添加身份验证以攻击URL [英] Adding authentication in ZAP tool to attack a URL

问题描述

如何将身份验证详细信息传递给ZAP工具以扫描网站.请帮助我解决问题.

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.

推荐答案

很老的问题了，但是它就解决了.

Quite old question but here it goes.

最简单的方法是通过ZAP将浏览器设置为Proxy. 在Firefox上，您可以转到:

The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to:

选项->高级->网络->设置.

Options -> Advanced -> Network -> Settings.

选择手动代理配置"，然后在HTTP主机中填充运行ZAP的计算机的地址(很可能是localhost)和配置的ZAP端口.

Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.

您可以检查并配置ZAP端口以打开ZAP并访问:

You can check and configure ZAP port opening ZAP and accessing:

工具->选项->本地代理.

Tools -> Options -> Local Proxy.

然后打开您的Web浏览器并登录到您的应用程序. 现在转到ZAP，在网站"标签(ZAP的左侧)中，选择您的网站，右键单击它并选择:

Then open your web browser and login to your application. Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:

包含在上下文中->默认上下文

Include in Context -> Default Context

现在打开"HTTP会话"选项卡，右键单击会话，然后单击设置为活动". ("HTTP会话"标签:视图"->显示"标签->"HTTP会话")

Now open the HTTP Sessions tab right click on the session and "Set as Active". (HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)

现在，您可以在登录会话中执行ZAP Spider，活动扫描等. 如果不是您的情况，请提供有关您的应用程序正在使用哪种身份验证方法的更多信息.

Now you can perform ZAP Spider, Active Scan and so with an logged in session. If this is not your scenario, please provide more info about which authentication method your application is using.

希望它仍然可以帮助您或寻找相似问题的人. 谢谢

Hope it still helps you or someone searching for similar questions. Thanks,

这篇关于在ZAP工具中添加身份验证以攻击URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！