Passive Scan in OWASP ZAP Authentication

1
votes

I'm trying to understand how the passive scan works and how I can apply it in my use case.

I have illustrated my setup below: enter image description here

The client can authenticate itself against the Proxy with basic auth or SAML. All requests will be forwarded to the backend service through the proxy. So my question is: Let's say the proxy is running on port A and the backend service on port B, and I want to passively scan all requests using Owasp ZAP. Does the ZAP session need to authenticate itself in any way for a passive scan? I understand that the active scan would have to authenticate itself in order to manipulate the application, but I can't really understand if the passive has to do that. Can someone explain this to me?

Thanks in advance

1
securityowaspzap

1 Answers

2
votes

from what I understand from your question that you want to make a passive scan on the above website but because of the proxy and the service in two different ports. So in order for the proxy to forward the request to the service port, the port forwarding must be enabled and configured so passive scan is a request like any user so if the port forwarding is enabled you should have no problem just do it. However, if even the normal user should authenticate himself you can intercept the connection using ZAP and edit the header with some username and password or any other types of authentication.

I hope this was helpful.