Ajax Spider not spidering after it hits an exclude from context url

[Aakhash Ganesh]

Hello,

I have an Ajax Spider issue. I have a webpage with a sidebar with links to other pages, and a button at the top of the page, a logout button. I have added the main domain to the include list in my context and the logout URL to the exclude list. Once the Ajax spider gets to the logout and says that it is out of context, the spider seems to stop trying to find new pages in the original page I gave it.

Is there a setting that needs to be enabled or is there a different issue in how it's being run?

[Aakhash Ganesh]

More information about my issue:
I've attached a video of what the Ajax spider process looks like when I run it with Firefox. It creates the Ajax spider, but once it gets to the webpage I scan for, then it says out of Ajax spider scope and doesn't do anything else. Then it opens up multiple browsers that just show the zap callback page and close themselves. I know that it's reaching the page because I can see that the authentication cookie is set and I can see the dashboard page for a split second before it shows the "out of ajax spider scope" for the URI that I excluded in the context. When I browse to the same page with the browser, the client map is able to find all the links on the page that the Ajax spider also starts at. So shouldn't the Ajax spider also click and browse through the application?

[Simon Bennetts]

Hiya,

https://portaldev.prancer.io/prancer-aakhash/ redirects to a login page via the logout URL.

ZAP will stop there as you have configured the logout URL to be out of scope.

You will need to configure ZAP to handle the authentication.

Try the Authentication Tester with valid credentials: https://www.zaproxy.org/blog/2023-05-23-authentication-tester/

If that works then it should be relatively easy to get this working.

Cheers,

Simon