You must specify the site you want the report for otherwise no data will be generated.
This report is designed to be run after attempting to access at least one authenticated URL with the
authentication method set up correctly and with valid credentials.
Session handling and verification can be left as "autodetect" - this report will detail how effective that was.
| Section | ID |
|---|---|
| Summary | summary |
| Automation Framework Environment | afenv |
| Statistics | statistics |
| Domains | domains |
| Domains Partially Out of Scope | domainspartiallyoutofscope |
| Domains Out of Scope | domainsoutofscope |
| Diagnostics | diagnostics |
| Automation Framework Plan for Diagnostics | diagnosticsafplan |
| HTTP Messages for Diagnostics | diagnosticsmessages |
| Local Storage for Diagnostics | diagnosticslocalstorage |
| Screenshots for Diagnostics | diagnosticsscreenshots |
| Session Storage for Diagnostics | diagnosticssessionstorage |
| Web Elements for Diagnostics | diagnosticswebelements |
| ZAP Log File for Diagnostics | diagnosticslogfile |
| Key | Passed | Description |
|---|---|---|
| auth.summary.auth | false | Authentication failed |
| auth.summary.auth | true | Authentication appeared to work |
| auth.summary.password | false | Password field not identified |
| auth.summary.password | true | Password field identified |
| auth.summary.session | false | Session Handling not identified |
| auth.summary.session | true | Session Handling identified |
| auth.summary.username | false | Username field not identified |
| auth.summary.username | true | Username field identified |
| auth.summary.verif | false | Verification URL not identified |
| auth.summary.verif | true | Verification URL identified |
| Key | Description |
|---|---|
| auth.failure.overall | All authentication elements passed yet authentication was deemed a failure in the end. |
| auth.failure.pass_count | No successful browser logins. |
| auth.failure.session_mgmt | Failed to identify session management. |
| auth.failure.logged_in | No indication found of being logged in. |
| auth.failure.login_failures | One or more failed logins. |
| auth.failure.no_successful_logins | No successful browser logins. |
| auth.failure.verif_ident | Failed to identify verification URL. |
| auth.failure.af_plan_errors | There were Automation Framework plan errors. |
If you have set the Session Management or Verification to "autodetect" and ZAP successfully detected them then the environment will have been updated with the values that ZAP has detected.
"domains": [ "https://www.example.org", "https://api.example.org" ]
https://www.example.org/frontend/) and other resources were also accessed (e.g. https://www.example.org/backend/).
"domainsPartiallyOutOfScope": [ "https://www.example.org" ]
"domainsOutOfScope": [ "https://api.example.org" ]
Diagnostic data can also be recorded with the Authentication Tester Dialog.
The report will contain an array of diagnostic objects, one for each recorded authentication attempt. The diagnostic objet has the authentication method used, the name of the context and user, the script if Client Script Authentication, the Automation Framework plan, and each step performed during the authentication.
"diagnostics": [
{
"created": "0000-00-00T00:00:00.000000Z",
"authenticationMethod": "Browser-based Authentication",
"context": "Context Name",
"user": "User Name",
"script": "Script used by Client Script Authentication",
"steps": [
{ … }
]
}
]
Each step has at least the URL and the description, it can, optionally, contain also the input element that's being acted upon (e.g. username field being filled).
{
"created": "0000-00-00T00:00:00.000000Z",
"url": "http://example.com/login/",
"description": "Auto Fill Username",
"webElement": {
"selector": {"type": "CSS", "value": "body > div > span > input"},
"formIndex": 1,
"attributeType": "text",
"attributeId": "email",
"attributeName": "email",
"attributeValue": "",
"text": "",
"displayed": true,
"enabled": true
}
…
}
More data can be included in each step depending on the additional diagnostics sections enabled for the report.
The selector can be of type CSS or XPATH with the value containing the respective selector.
"diagnostics": [
{
…
"afPlan": "Content Automation Framework Plan",
…
}
]
"messages": [
{
"created": "0000-00-00T00:00:00.000000Z",
"requestHeader": "GET http://example.com/login HTTP/1.1",
"requestBody": "",
"responseHeader": "HTTP/1.1 200 OK",
"responseBody": ""
}
]
"localStorage": [
{
"created": "0000-00-00T00:00:00.000000Z",
"key": "key",
"value": "value"
}
]
"screenshot": "…"
"sessionStorage": [
{
"created": "0000-00-00T00:00:00.000000Z",
"key": "key",
"value": "value"
}
]
"webElements": [
{
"selector": {"type": "XPATH", "value": "\/html\/body\/div\/input[4]"},
"formIndex": 0,
"attributeType": "text",
"attributeId": "id",
"attributeName": "name",
"attributeValue": "",
"text": "",
"displayed": true,
"enabled": true
}
]
"logFile": "Log file content..."
{
"@programName": "ZAP",
"@version": "Dev Build",
"@generated": "Mon, 10 Feb 2025 17:27:23",
"site": "http:\/\/localhost:9091"
,"summaryItems": [
{
"description": "Authentication appeared to work",
"passed": true,
"key": "auth.summary.auth"
},
{
"description": "Username field identified",
"passed": true,
"key": "auth.summary.username"
},
{
"description": "Password field identified",
"passed": true,
"key": "auth.summary.password"
},
{
"description": "Session Handling identified",
"passed": true,
"key": "auth.summary.session"
},
{
"description": "Verification URL identified",
"passed": true,
"key": "auth.summary.verif"
}
]
,"failureReasons": [
{
"key": "auth.failure.no_successful_logins",
"description": "No successful logins."
}
]
,"afEnv": "env:\n contexts:\n - name: simple-json-bearer-cookie\n urls:\n - http:\/\/localhost:9091\/auth\/simple-json-bearer-cookie\n includePaths:\n - http:\/\/localhost:9091\/auth\/simple-json-bearer-cookie.*\n authentication:\n method: browser\n parameters:\n loginPageUrl: http:\/\/localhost:9091\/auth\/simple-json-bearer-cookie\/\n loginPageWait: 5\n browserId: firefox-headless\n steps: []\n verification:\n method: poll\n loggedInRegex: \\Q 200 OK\\E\n loggedOutRegex: \\Q 403 Forbidden\\E\n pollFrequency: 0\n pollUnits: seconds\n pollUrl: http:\/\/localhost:9091\/auth\/simple-json-bearer-cookie\/user\n pollPostData: \"\"\n sessionManagement:\n method: headers\n parameters:\n Authorization: \"Bearer {%json:accesstoken%}\"\n Cookie: \"token={%json:accesstoken%}\"\n technology: {}\n structure: {}\n users:\n - name: test\n credentials:\n password: password123\n username: test@test.com\n parameters: {}\n"
,"statistics": [
{
"key": "stats.auth.browser.foundfields",
"scope": "site",
"site:" "https://www.example.org",
"value": 1
},
{
"key": "stats.auth.browser.passed",
"scope": "site",
"site:" "https://www.example.org",
"value": 1
},
{
"key": "stats.auth.configure.session.header",
"scope": "global",
"value": 1
},
{
"key": "stats.auth.configure.verification",
"scope": "global",
"value": 1
},
{
"key": "stats.auth.detect.auth.json",
"scope": "global",
"value": 5
},
{
"key": "stats.auth.detect.session.accesstoken",
"scope": "global",
"value": 5
},
{
"key": "stats.auth.detect.session.authorization",
"scope": "global",
"value": 1
},
{
"key": "stats.auth.detect.session.token",
"scope": "global",
"value": 7
},
{
"key": "stats.auth.session.set.header",
"scope": "global",
"value": 20
},
{
"key": "stats.auth.sessiontoken.accesstoken",
"scope": "site",
"site:" "https://www.example.org",
"value": 9
},
{
"key": "stats.auth.sessiontoken.token",
"scope": "site",
"site:" "https://www.example.org",
"value": 6
},
{
"key": "stats.auth.sessiontokens.max",
"scope": "global",
"value": 2
},
{
"key": "stats.auth.state.loggedin",
"scope": "site",
"site:" "https://www.example.org",
"value": 2
},
{
"key": "stats.auth.success",
"scope": "site",
"site:" "https://www.example.org",
"value": 1
}
]
}