ZAP Authentication Report – Field Documentation
1. auth_summary
Summarizes authentication detection results. Each item contains:
{
"description": "...",
"passed": true|false,
"key": "..."
}
Fields
| Field | Meaning |
|---|---|
| description | Human-readable explanation of the check |
| passed | Whether the check succeeded |
| key | Unique identifier for the check |
2. auth.summary.auth
Indicates whether ZAP successfully verified that authentication works.
Example
{
"description": "Authentication failed",
"passed": false,
"key": "auth.summary.auth"
}
Interpretation
| Value | Meaning |
|---|---|
| true | Authentication confirmed working |
| false | Could not verify authentication |
Important:
falsedoes not always mean wrong credentials. It can also indicate:
- Verification failed
- Session lost or expired
- Verification regex mismatch
- Incorrect verification URL
- Login executed but verification failed
3. auth.summary.session
Indicates ZAP detected a session mechanism such as cookies, headers, or tokens.
Example
{
"description": "Session Handling identified",
"passed": true,
"key": "auth.summary.session"
}
| Value | Meaning |
|---|---|
| true | Session token/cookie detected |
| false | No session handling detected |
Typical mechanisms:
| Mechanism | Example |
|---|---|
| Cookie session | PHPSESSID |
| Header token | Authorization |
| JWT | Bearer token |
| Framework cookie | JSESSIONID |
4. auth.summary.verif
Indicates whether ZAP identified a method to verify authentication state.
Example
{
"description": "Verification URL identified",
"passed": true,
"key": "auth.summary.verif"
}
Interpretation
| Value | Meaning |
|---|---|
| true | Verification method identified |
| false | Could not determine how to verify login |
Important Clarification:
passed: truedoes not guarantee verification success. It only confirms that ZAP found a URL/method to verify login. Actual verification success is reflected inauth.summary.auth.
5. auth.summary.username & auth.summary.password
Indicates that ZAP detected the username and password fields in the login request.
Detection examples
| Parameter | Typical usage |
|---|---|
| username | username=admin |
| email=user@test.com | |
| password | password=123 |
| pwd | pwd=123 |
6. Authentication Statistics (stats.auth.*)
These metrics describe authentication behavior during the scan.
stats.auth.success– Number of successful login attempts.stats.auth.failure– Number of failed login attempts.stats.auth.sessiontoken.*– Number of session tokens detected per type.stats.auth.session.set.header– Number of requests with injected session headers.stats.auth.state.loggedin– Requests confirmed as logged-in.stats.auth.state.loggedout– Requests confirmed as logged-out.stats.auth.sessiontokens.max– Maximum unique session tokens detected.stats.auth.detect.auth.*– Number of detected login requests (JSON or form).stats.auth.detect.session.*– Number of times session identifiers detected.
7. Authentication Outcome Classification
Authentication Success
Indicators:
stats.auth.success > 0
stats.auth.state.loggedin > 0
auth.summary.auth = true
Verification Failure
Indicators:
auth.summary.verif = true
auth.summary.auth = false
stats.auth.sessiontoken.* > 0
Meaning: Login likely succeeded, but verification failed (e.g., SPA frontend did not return expected regex match).
Wrong Credentials
Indicators:
stats.auth.failure > 0
stats.auth.sessiontoken.* = 0
auth.summary.auth = false
Meaning: Login request failed, credentials may be incorrect.
Session Handling Failure
Indicators:
auth.summary.session = false
Meaning: No session mechanism detected; login cannot persist.
8. Verification Methods – When to Use
| Method | Use Case / Notes |
|---|---|
| Browser | Use for full frontend login flows (SPA, JS-heavy apps). Must have the frontend URL as the primary host. If backend API is different domain, use pollUrl. |
| JSON | Use when login endpoint returns JSON response (API login). Can specify response verification type. Works best if backend URL is known. |
| Form-based HTML | Use for standard HTML login forms (username/password form). ZAP parses login request & parameters. |
SPA / Multi-domain Considerations
-
Autodetect often fails for SPAs, both browser and JSON methods.
-
Always specify
pollUrlwhen backend verification is required. -
Backend domain cannot be primary host if using browser-based login; frontend URL must be primary.
-
Context can include multiple hosts, but authentication reporting is based on the first host.
-
If the backend API is in a different domain:
- Verification may fail if not in context.
- Explicitly set
pollUrlto a backend endpoint that confirms authentication.
9. Key Metrics for Pipelines
For CI/CD and automation, track these metrics:
auth.summary.auth
auth.summary.verif
stats.auth.success
stats.auth.failure
stats.auth.sessiontoken.*
stats.auth.state.loggedin
stats.auth.state.loggedout
stats.auth.session.set.header
These allow reliable classification of authentication status and verification outcome.