-
-
Notifications
You must be signed in to change notification settings - Fork 135
HelpStartConceptsUsers
Users are the ZAP representations of websites/webapps' users. They allow certain actions to be performed from the point of view of an user of the webapps. For each Context, a set of Users can be defined, which can then be used in actions related to the context. Most commonly, during various scans the request messages can be sent from the point of view of an User.
The concept of Users is tightly tied to the concepts of Session Management and Authentication. When a User is first used somewhere in ZAP, an authentication is performed (according to the Authentication Method defined for the Context) and a Session is created and configured for this user (according to the Session Management defined for the Context). After that, requests sent from the point of view of an User are modified (if necessary) and sent in such a way that the web server identifies them as being sent by an authenticated webapp/website user. If anytime a message is sent from the perspective of a User and the response received seems unauthenticated (as identified using the Logged In and Logged Out Authentication indicators), a new authentication is performed and the Session is updated accordingly.
In order to perform the authentication of an user on a website / in a webapp, the Authentication Method defines how the authentication is done (the process), while the necessary credentials (the exact identifiers) are dependent on the user, so, in ZAP, they are configured in the Users.
Session Contexts Dialog |
Youtube tutorial | of the Authentication, Session Management and Users Management features of ZAP [external link to http://youtu.be/cR4gw-cPZOA]. | |
Authentication Overview | for an overview of Authentication in ZAP | |
UI Overview | for an overview of the user interface | |
Features | provided by ZAP | |
Session Contexts Dialog | for an overview of the Session Properties |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits