ZAP Ajax spider authentication not working using ZEST

Question

Followed following steps: 1. Record ZEST script (tested to be working) 2. Include site in context 3. Add user 4. Select forced user 5. Upload script and select script based authentication 6. Define logout indicator 7. Exclude logout from spider 8. Run Ajax spider selecting context and user

What did I miss?

Answer 1

We detail some ways to diagnose authentication issues here: https://github.com/zaproxy/zaproxy/wiki/FAQformauth :

If the "Forced User Mode disabled - click to enable" button is not enabled then you have not configured enough information for ZAP to authenticate - double check that you have performed all of the above steps.

If you have enable forced user mode and are still not logged in when you access your application then look at the requests in the History tab:

• If there is no login request then you have probably not chosen a suitable "logged in/out" indicator, try changing it and trying again
• If there is a login request then look at the requests and response and see if you can work out why the login failed - you may need to change the request or even make multiple requests

If you need to make multiple requests to login then the best option is to record a Zest authentication script and to test this in isolation first.

Answer 2

I realized it's a bug with the technique in which I was creating the ZEST script. If we start the recording directly, and select authentication script, it does not automatically populate all parameters and login url option. Scripts --> New script --> Authentication --> Create new script and save --> Now start recording makes it work. Also, need to Edit --> Enable Session tracking to help make it persistent.