I am trying to learn how to use ZAP and am experiencing an Authentication issue.
I am running an angular website locally (port 4200) that calls a local C# API (port 8080). The API is a windows application running through IIS. In Chrome I am directing requests using SwitchySharp proxy to port 8082, ZAP's port with "No proxy for: <-loopback>" to allow localhost proxying.
I serve my angular application and can navigate to it and run it in Chrome without issue. However, in ZAP's history tab I am getting "401 Unauthorized" messages next to any GET requests to my local API server (OPTIONS requests give 200 response, but have 0 byte response size?).
In ZAP I have included localhost.* in the context, switched context's authentication to NTLM (hostname=localhost:80?), added my user/pass to context's Users, and enabled "Forced User" icon in the top right toolbar. Spider/Scanning does not return any results, and while browsing works fine, it shows up as 401 in ZAP history messages.
Any idea how I can scan?