在 ZAP 工具中添加身份验证以攻击 URL [英] Adding authentication in ZAP tool to attack a URL

问题描述

如何将身份验证详细信息传递给 ZAP 工具以扫描网站.请帮我解决问题.

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.

推荐答案

很老的问题，但问题来了.

Quite old question but here it goes.

最简单的方法是通过 ZAP 将您的浏览器设置为代理.在 Firefox 上，您可以访问:

The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to:

选项 -> 高级 -> 网络 -> 设置.

Options -> Advanced -> Network -> Settings.

选择手动代理配置并用运行 ZAP 的机器的地址(很可能是本地主机)和配置的 ZAP 端口填充 HTTP 主机.

Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port.

您可以检查和配置ZAP端口打开ZAP和访问:

You can check and configure ZAP port opening ZAP and accessing:

工具 -> 选项 -> 本地代理.

Tools -> Options -> Local Proxy.

然后打开您的网络浏览器并登录到您的应用程序.现在转到 ZAP，在站点选项卡(ZAP 的左侧)中，选择您的站点，右键单击它并选择:

Then open your web browser and login to your application. Now go to ZAP, in the Sites tab (left side of ZAP), select your site, right click on it and select:

包含在上下文中 -> 默认上下文

Include in Context -> Default Context

现在打开 HTTP 会话选项卡，右键单击会话并设置为活动".(HTTP 会话选项卡:查看 -> 显示选项卡 -> HTTP 会话)

Now open the HTTP Sessions tab right click on the session and "Set as Active". (HTTP Sessions Tab: View -> Show Tab -> HTTP Sessions)

现在您可以使用登录的会话执行 ZAP Spider、主动扫描等.如果这不是您的情况，请提供有关您的应用程序使用的身份验证方法的更多信息.

Now you can perform ZAP Spider, Active Scan and so with an logged in session. If this is not your scenario, please provide more info about which authentication method your application is using.

希望它仍然可以帮助您或搜索类似问题的人.谢谢，

Hope it still helps you or someone searching for similar questions. Thanks,

这篇关于在 ZAP 工具中添加身份验证以攻击 URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！