DAST sets ZAP user and login form
Problem to solve
DAST has custom built login functionality that allows a user to login to their website prior to a security scan. ZAP also has login functionality, which DAST does not use.
A disadvantage to using custom login functionality is that certain vulnerability rules are disabled when the user is not set. For example:
SessionFixationrule only tests login pages, when the login page is not set, it will not run
UsernameEnumerationrule only tests login pages, when the login page is not set, it will not run
With the right ZAP configuration, DAST will be able to enable all rules by setting the ZAP username/password/login fields.
This issue will require some investigation to determine what the best approach for setting the ZAP context parameters. In all likelihood, DAST will have to create a ZAP user, and use one of the authentication methods, likely manual.