From b1d00ea30611514cd92838c9d94c1d04b5740d15 Mon Sep 17 00:00:00 2001
From: Simon Bennetts <psiinon@gmail.com>
Date: Mon, 11 Nov 2024 17:13:09 +0000
Subject: [PATCH] Dont automate forced user mode

And other misc changes I happened to notice :grin:

Signed-off-by: Simon Bennetts <psiinon@gmail.com>
---
 .../contents/start/features/authentication.html  | 16 ++++++++++++----
 .../contents/start/features/httpsessions.html    | 10 ++++++++--
 .../main/javahelp/contents/start/pentest.html    |  2 +-
 .../main/javahelp/contents/start/proxies.html    |  5 ++++-
 .../main/javahelp/contents/ui/tlmenu/edit.html   |  2 +-
 5 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/addOns/help/src/main/javahelp/contents/start/features/authentication.html b/addOns/help/src/main/javahelp/contents/start/features/authentication.html
index 3577a7f65..cc5556de4 100644
--- a/addOns/help/src/main/javahelp/contents/start/features/authentication.html
+++ b/addOns/help/src/main/javahelp/contents/start/features/authentication.html
@@ -7,6 +7,9 @@
 <body>
 	<h1>Authentication</h1>
 	ZAP can handle a wide range of authentication mechanisms.<br>
+	If you are new to ZAP automation then the best place to start is the ZAP 
+	<a href="https://www.zaproxy.org/docs/authentication/">Authentication Decision Tree</a> (external link).
+	<p>
 	Each <a href="contexts.html">Context</a> has:
 	<ul>
 	<li>an <a href="authmethods.html">Authentication Method</a> which defines how authentication is handled. 
@@ -63,10 +66,7 @@ <h2>Configuration example</h2>
     	<li>Define as many users as you need in the Session Properties -> Users section.</li>
 	</ol>
    	After configuring authentication, various actions are available in ZAP. For example, you can now select the user in the 
-   	Spider dialogue. Or, using the Forced User Mode, 
-   	you can force all the interactions that go through ZAP for a given Context to be from the perspective of a User. 
-   	The Forced User Mode is enabled via a button in the toolbar (the one with the user and the lock) and 
-   	is configured via Session Properties -> Forced User Mode.
+   	Spider dialogue.
 	<br>
 	Most of the steps above apply as well for other authentication methods. The only things that change when trying
 	to configure authentication using a different method is step 6. Instead of that, select the authentication
@@ -74,6 +74,14 @@ <h2>Configuration example</h2>
 	of authentication can be found in the <a href="authmethods.html">Authentication Methods</a> page and in the 
 	<a href="../../ui/dialogs/session/contexts.html">Context Session screens</a>.
 
+	<h2><a name="forceduser">Forced User Mode</a></h2>
+	When Forced User Mode is enabled then all interactions that go through ZAP for a given context will be 
+	updated to be from the perspective of the specified User.<br>
+   	The Forced User Mode is enabled via a button in the toolbar (the one with the user and the lock) and 
+   	is configured via Session Properties -> Forced User Mode.<br>
+   	<b>Important:</b> Forced User Mode is just intended for manual testing and should not be used in automation -
+   	there are much better alternatives.
+
 	<h2><a name="envvars">Authentication Header Environmental Variables</a></h2>
 	A set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated
 	by the ZAP tools, including the spiders and active scanner: 
diff --git a/addOns/help/src/main/javahelp/contents/start/features/httpsessions.html b/addOns/help/src/main/javahelp/contents/start/features/httpsessions.html
index d1278a4ae..5f4819aaf 100644
--- a/addOns/help/src/main/javahelp/contents/start/features/httpsessions.html
+++ b/addOns/help/src/main/javahelp/contents/start/features/httpsessions.html
@@ -7,16 +7,22 @@
 <body>
 	<h1>HTTP Sessions</h1>
 	<p>This tool keeps track of the existing HTTP Sessions on a
-		particular Site and allows the Zaproxy user to force all requests to
+		particular Site and allows the ZAP user to force all requests to
 		be on a particular session. Basically, it allows the user to easily
 		switch between user sessions on a Site and to create a new Session
 		without "destroying" the existing ones.</p>
+		
+	<p>
+		The tool is only intended for manual testing and should not be used in automation -
+		there are much better alternatives.
+		If you are new to ZAP automation then the best place to start is the ZAP 
+		<a href="https://www.zaproxy.org/docs/authentication/">Authentication Decision Tree</a> (external link).
 
 	<p>
 		It is based on the concept of Session Tokens, which are HTTP message
 		parameters (for now only Cookies) which allow an HTTP server to
 		connect a request message with any previous requests or data stored.
-		In the case of Zaproxy, conceptually, session tokens have been
+		In the case of ZAP, conceptually, session tokens have been
 		classified into 2 categories: default session tokens and site session
 		tokens. The default session tokens are the ones that the user can set
 		in the <a href="../../ui/dialogs/options/httpsessions.html">Options
diff --git a/addOns/help/src/main/javahelp/contents/start/pentest.html b/addOns/help/src/main/javahelp/contents/start/pentest.html
index e63a383c5..39ecd2785 100644
--- a/addOns/help/src/main/javahelp/contents/start/pentest.html
+++ b/addOns/help/src/main/javahelp/contents/start/pentest.html
@@ -49,7 +49,7 @@ <H2>See also</H2>
 <H2>External Links</H2>
 <table>
 <tr><td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td>
-https://www.owasp.org/wstg</td>
+<a href="https://www.owasp.org/wstg">https://www.owasp.org/wstg</a></td>
 <td> OWASP Testing Guide</td></tr>
 </table>
 
diff --git a/addOns/help/src/main/javahelp/contents/start/proxies.html b/addOns/help/src/main/javahelp/contents/start/proxies.html
index b6b33cef8..55dbff3d5 100644
--- a/addOns/help/src/main/javahelp/contents/start/proxies.html
+++ b/addOns/help/src/main/javahelp/contents/start/proxies.html
@@ -9,7 +9,10 @@
 <BODY>
 <H1>Configuring Proxies</H1>
 <p>
-You will need to configure your browser to use ZAP as a proxy.<br>
+The best way to use a browser with ZAP is to launch it from ZAP. 
+It will then be automatically configured to proxy through ZAP and to ignore certificate warnings.
+<p>
+If for any reason you are unable or unwilling to do that then you will need to configure your browser to use ZAP as a proxy.<br>
 By default, ZAP uses an Address of 'localhost' and a Port of '8080', but these can be changed via the Options > Network > Local Servers/Proxies screen.
 
 Instructions for the latest versions of the most commonly used browsers: 
diff --git a/addOns/help/src/main/javahelp/contents/ui/tlmenu/edit.html b/addOns/help/src/main/javahelp/contents/ui/tlmenu/edit.html
index c77ed8887..1674989fc 100644
--- a/addOns/help/src/main/javahelp/contents/ui/tlmenu/edit.html
+++ b/addOns/help/src/main/javahelp/contents/ui/tlmenu/edit.html
@@ -37,7 +37,7 @@ <H4>Previous Result</H4>
 <a href="../tabs/response.html">Response</a> tab as appropriate.
 
 <H3>Enable / Disable Forced User Mode</H3>
-This switches forced user mode on and off.<br/>
+This switches <a href="../../start/features/authentication.html#forceduser">Forced User Mode</a> on and off.<br/>
 The menu item is only enabled when you have defined a forced user for at least one 
 <a href="../../start/features/contexts.html">context</a>, which can be done via the 
 <a href="../dialogs/session/contexts.html">Session Contexts</a> dialog.