Why does ZAP set my form values to “ZAP”?
If you have ever wondered why ZAP uses the value ZAP for the parameters of a form post request like below:
That’s because we haven’t informed ZAP what values to use so it uses the default value of ZAP. Now, take special note that even if you have set up authentication like how we did in this post (https://augment1security.com/authentication/dvwa-authentication/), where we already specified the username and password to use for a login form, you will see that ZAP will still use ZAP as the username and password when it submits the same login form as it spiders through the website. This submission of the login form as part of spidering is separate from the submission of the login form as part of the authentication process. In order to set the correct values of the a form, you will need to add a plugin called Form Handler. To do so, go to Manage Add-ons dialog box by clicking on the menu item shown below.
Select the Marketplace tab.
Do a search in the Filter field for Form Handler
Check the checkbox as shown below and click on the Install Selected button.
After downloading is finished, go back to the Installed tab and verify that the Form Handler is installed by searching for it in the Filter field.
Now, go to ZAP Options dialog box by clicking on the Options toolbar button:
Search for the Form Handler section.
Add in any form field/values you need, enable them and click on the OK button.
And when you re-spider your website again, you will see that your form values are set correctly.
