zaproxy · thc202 · Nov 27, 2025
diff --git a/addOns/authhelper/CHANGELOG.md b/addOns/authhelper/CHANGELOG.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Do not include known authentication providers in context.
+- Ensure all domains accessed during authentication are included in the Authentication Report.
 
 ## [0.32.0] - 2025-11-07
 ### Changed

diff --git a/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthenticationDiagnostics.java b/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthenticationDiagnostics.java
@@ -29,6 +29,7 @@
 import java.util.function.Supplier;
 import javax.jdo.PersistenceManager;
 import javax.jdo.Transaction;
+import org.apache.commons.httpclient.URIException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.openqa.selenium.By;
@@ -55,6 +56,7 @@
 import org.zaproxy.addon.authhelper.internal.db.DiagnosticWebElement.SelectorType;
 import org.zaproxy.addon.authhelper.internal.db.TableJdo;
 import org.zaproxy.zap.extension.zest.ZestZapUtils;
+import org.zaproxy.zap.model.SessionStructure;
 import org.zaproxy.zap.network.HttpSenderListener;
 import org.zaproxy.zest.core.v1.ZestClientElement;
 import org.zaproxy.zest.core.v1.ZestClientElementClear;
@@ -73,6 +75,9 @@ public class AuthenticationDiagnostics implements AutoCloseable {
     private static final List<DiagnosticDataProvider> diagnosticDataProviders =
             Collections.synchronizedList(new ArrayList<>());
 
+    private static final List<DomainAccessedConsumer> domainAccessedConsumers =
+            Collections.synchronizedList(new ArrayList<>());
+
     private static final String ELEMENT_SELECTOR_SCRIPT =
             """
 function isElementPathUnique(path, documentElement) {
@@ -187,6 +192,8 @@ function getSelector(element, documentElement) {
 return getSelector(arguments[0], document)
 """;
 
+    private final HttpSenderListener domainAccessedListener;
+
     private final boolean enabled;
 
     private Diagnostic diagnostic;
@@ -206,6 +213,35 @@ public AuthenticationDiagnostics(
             String user,
             String script) {
         this.enabled = enabled;
+
+        domainAccessedListener =
+                new HttpSenderListener() {
+
+                    @Override
+                    public void onHttpResponseReceive(
+                            HttpMessage msg, int initiator, HttpSender sender) {
+                        // Nothing to do.
+
+                    }
+
+                    @Override
+                    public void onHttpRequestSend(
+                            HttpMessage msg, int initiator, HttpSender sender) {
+                        try {
+                            String domain = SessionStructure.getHostName(msg);
+                            domainAccessedConsumers.forEach(e -> e.domainAccessed(domain));
+                        } catch (URIException ignore) {
+                            // Nothing to do.
+                        }
+                    }
+
+                    @Override
+                    public int getListenerOrder() {
+                        return 0;
+                    }
+                };
+        HttpSender.addListener(domainAccessedListener);
+
         if (!enabled) {
             return;
         }
@@ -498,6 +534,8 @@ public void recordStep(HttpMessage message, String description) {
 
     @Override
     public void close() {
+        HttpSender.removeListener(domainAccessedListener);
+
         if (!enabled) {
             return;
         }
@@ -574,6 +612,21 @@ private WebElement getWebElement(ZestRuntime runtime, ZestClientElement element)
         }
     }
 
+    public static void addDomainsAccessedConsumer(DomainAccessedConsumer consumer) {
+        Objects.requireNonNull(consumer);
+        domainAccessedConsumers.add(consumer);
+    }
+
+    public static void removeDomainsAccessedConsumer(DomainAccessedConsumer consumer) {
+        Objects.requireNonNull(consumer);
+        domainAccessedConsumers.remove(consumer);
+    }
+
+    public interface DomainAccessedConsumer {
+
+        void domainAccessed(String domain);
+    }
+
     public static void addDiagnosticDataProvider(DiagnosticDataProvider provider) {
         Objects.requireNonNull(provider);
         diagnosticDataProviders.add(provider);

diff --git a/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/report/AuthReportData.java b/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/report/AuthReportData.java
@@ -25,11 +25,9 @@
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
-import java.util.TreeSet;
 import javax.jdo.PersistenceManager;
 import javax.jdo.PersistenceManagerFactory;
 import javax.jdo.Query;
@@ -40,11 +38,8 @@
 import org.apache.logging.log4j.core.LoggerContext;
 import org.apache.logging.log4j.core.lookup.StrSubstitutor;
 import org.parosproxy.paros.Constant;
-import org.parosproxy.paros.model.Model;
 import org.zaproxy.addon.authhelper.internal.db.Diagnostic;
 import org.zaproxy.addon.authhelper.internal.db.TableJdo;
-import org.zaproxy.zap.model.SessionStructure;
-import org.zaproxy.zap.model.StructuralNode;
 
 @Getter
 @Setter
@@ -98,22 +93,6 @@ public void addFailureDetail(FailureDetail detail) {
         failureDetails.add(detail);
     }
 
-    public Set<String> getDomains() {
-        if (domains != null) {
-            return domains;
-        }
-
-        Set<String> temp = new TreeSet<>();
-        Iterator<StructuralNode> iter =
-                SessionStructure.getRootNode(Model.getSingleton()).getChildIterator();
-        while (iter.hasNext()) {
-            temp.add(iter.next().getName());
-        }
-
-        domains = temp;
-        return domains;
-    }
-
     public boolean hasFailureDetails() {
         return failureDetails != null && !failureDetails.isEmpty();
     }

diff --git a/...thhelper/src/main/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReport.java b/...thhelper/src/main/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReport.java
@@ -21,16 +21,23 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.control.Control;
+import org.parosproxy.paros.control.Control.Mode;
 import org.parosproxy.paros.extension.Extension;
 import org.parosproxy.paros.extension.ExtensionAdaptor;
+import org.parosproxy.paros.extension.ExtensionHook;
+import org.parosproxy.paros.extension.SessionChangedListener;
+import org.parosproxy.paros.model.Session;
 import org.zaproxy.addon.authhelper.AuthUtils;
 import org.zaproxy.addon.authhelper.AuthenticationDiagnostics;
 import org.zaproxy.addon.authhelper.AutoDetectSessionManagementMethodType;
@@ -61,6 +68,8 @@ public class ExtensionAuthhelperReport extends ExtensionAdaptor {
             List.of(ExtensionReports.class);
     private static final Logger LOGGER = LogManager.getLogger(ExtensionAuthhelperReport.class);
 
+    private static Set<String> domainsAccessed = Collections.synchronizedSet(new TreeSet<>());
+
     private ExtensionAutomation extensionAutomation;
     private AuthReportDataHandler authReportDataHandler;
     private AuthenticationDiagnostics.DiagnosticDataProvider diagnosticDataProvider;
@@ -76,6 +85,36 @@ public void init() {
             diagnosticDataProvider = this::addDiagnosticData;
             AuthenticationDiagnostics.addDiagnosticDataProvider(diagnosticDataProvider);
         }
+        AuthenticationDiagnostics.addDomainsAccessedConsumer(domainsAccessed::add);
+    }
+
+    @Override
+    public void hook(ExtensionHook extensionHook) {
+        extensionHook.addSessionListener(
+                new SessionChangedListener() {
+
+                    @Override
+                    public void sessionScopeChanged(Session session) {
+                        // Nothing to do.
+
+                    }
+
+                    @Override
+                    public void sessionModeChanged(Mode mode) {
+                        // Nothing to do.
+
+                    }
+
+                    @Override
+                    public void sessionChanged(Session session) {
+                        domainsAccessed.clear();
+                    }
+
+                    @Override
+                    public void sessionAboutToChange(Session session) {
+                        // Nothing to do.
+                    }
+                });
     }
 
     private void addDiagnosticData(Diagnostic diagnostic) {
@@ -118,6 +157,8 @@ public void unload() {
         if (diagnosticDataProvider != null) {
             AuthenticationDiagnostics.removeDiagnosticDataProvider(diagnosticDataProvider);
         }
+
+        AuthenticationDiagnostics.removeDomainsAccessedConsumer(domainsAccessed::add);
     }
 
     @Override
@@ -168,6 +209,9 @@ public void handle(ReportData reportData) {
             AuthReportData ard = new AuthReportData();
             reportData.addReportObjects("authdata", ard);
 
+            ard.setDomains(new TreeSet<>(domainsAccessed));
+            domainsAccessed.clear();
+
             Context authContext = getFirstAuthConfiguredContext(reportData);
             if (authContext == null) {
                 return;