I have a local website hosted on IIS and I am trying to scan my application with ZAP tool executed in daemon mode. Everything works fine until I disable the "Anonymous Authentication" method from IIS and the only method enabled is "Basic Authentication". The error I get is "Failed to attack the URL: received a 401 response code".
Is there any possibility to send the login credentials from daemon mode?
The command looks like this: zap.bat -quickurl "urlToTest" -quickprogress -daemon -cmd.
The -cmd option puts ZAP into commandline / inline mode. Use the -daemon mode to put ZAP into daemon mode, at which point you'll need to use the ZAP API to interact with it. To handle authentication you will have to add your application to a Context and then specify the authentication. We have a FAQ for Form Based authentication: https://github.com/zaproxy/zaproxy/wiki/FAQformauth You'll need to do something similar but specify 'HTTP/NTLM Authentication' : https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication I'd recommend testing this using the ZAP UI first - you can also then export to Context to reuse in daemon mode. Any problems then its probably best to head over to the ZAP User Group: http://groups.google.com/group/zaproxy-users
Simon (ZAP Project Lead)