Authentication Verification Strategies
ZAP supports multiple Verification Strategies in order to detect when messages correspond to authenticated requests.
When this strategy is used then ZAP will use the specified Regex Patterns on every response.
This is typically useful for traditional webapps which return full HTML pages.
When this strategy is used then ZAP will use the specified Regex Patterns on every request.
This is typically useful for modern webapps which maintain some session state client side, such as a JWT, which is submitted with every request.
When this strategy is used then ZAP will use the specified Regex Patterns on both the request and response of every message.
When this strategy is used then ZAP will poll the specified URL at the given frequency.
Messages will be treated as logged in or logged out based on the last poll request.
The specified Regex Patterns will only be used on the response to the poll request.
This strategy is typically useful for any application for which there is at least one URL
that can reliably be used to detect if a user is logged in or out.
All of the strategies use 2 Regex Patterns to tell if a specified message is logged in or not.
You can supply one or both regexes - if you do not supply either then the Authentication Strategy will not be used.
To set one of the Logged in/out Indicators, either type the regex
directly in the Session
Context Authentication screen dialog -> Authentication panel -> Logged In/Out Indicator field,
or find an authenticated message in the Sites Tree or History tab, select it, open the
Response View and select the text you wish to define as the indicator using the
mouse and select the Flag as Context... Logged in/out indicator right-click menu option.
Configured via
See also