[Owasp-leaders] ZAP Automated authentication detection and configuration

psiinon psiinon at gmail.com
Wed May 9 08:35:33 UTC 2018

Leaders - please see the email below sent to the ZAP Developers Group.

Kajan is working on making authentication handling better in ZAP for the
Google Summer of Code.
An important aspect of this is coming up with a comprehensive list of
authentication schemes - theres a link to the doc Kajan is working on below.
ZAP is very flexible and can probably handle most if not all of these
schemes, but we know that configuring it to do so is painful and error
Building this list will help us understand the scope of the problem and
allow Kajan to focus on more generic solutions that support a wide range of
So please have a look at the doc and add suggestions for anything you spot
thats missing or incorrect.

We know that getting ZAP to handle authentication can be difficult - this
is your chance to help us make it much less painful :)

One of the reasons we asked Kajan to write this doc is that we couldnt find
a comprehensive list of authentications schemes on the internet.
If we've missed such a list then please let us know. If not then how would
you feel about us migrating the doc to the OWASP wiki once it has had some
more feedback? I think it would be a valuable addition :)

Many thanks,


---------- Forwarded message ----------
From: Kajan Mohanagandhirasa <kajan.14 at cse.mrt.ac.lk>
Date: Sun, May 6, 2018 at 7:39 AM
Subject: [zaproxy-develop] Automated authentication detection and
To: OWASP ZAP Developer Group <zaproxy-develop at googlegroups.com>

Hi, I am Kajan from the University of Moratuwa, Sri Lanka.
It is my pleasure to meet you all again with good news.
I am working on "Automated authentication detection and configuration"[1]
as my GSoC project.
I will be updating my blog[2] weekly with my progress and other useful
information related to this project.
To automate the task for as many sorts of web apps as possible, I am
maintaining a list of different authentication schemes here[3].
I want your help in prioritizing the most used and important authentication
In addition to that, please help me to extend this list by sharing your
Of course, I will not be able to address all schemes within the GSoC
period. But now I am part of a great community and will remain the same
after GSoC. So feel free to suggest even if a small portion of web apps are
using such authentication scheme. I want to build a comprehensive list.
This will not only help me to identify my future works but also to
implement in a way such that other schemes can be easily ported.
I am not an expert in anything. I am willing to hear your thoughts
regarding this project. That will help me a lot.

Thanks in advance :) and happy coding.

[1] https://github.com/zaproxy/zaproxy/issues/4105
[2] https://kajanm.github.io/gsoc.html
[3] https://docs.google.com/document/d/1LSg8CMb4LI5yP-


You received this message because you are subscribed to the Google Groups
"OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to zaproxy-develop+unsubscribe at googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/
For more options, visit https://groups.google.com/d/optout.

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180509/95740aae/attachment.html>

More information about the OWASP-Leaders mailing list