Spider can't discover many pages on a site

[Yi SONG]

Dear all,

Using ZAP 2.9/10, I find that the spider(classic/ajax) can't find many pages automatically during a scan. I have tried DVWA locally and 'demo.testfire.net'. The spider results are not satisfied. except manually visiting the pages, is there other way to improve it?

is there an API or a parameter to take the ZAP exported url as input parameter for a scan?

Thank you and best regards,

Yi

[Simon Bennetts]

Exploring apps can be challenging.

We'll need to work out why the spiders are not exploring the relevant sites effectively, and its best to focus on one site at a time as the reasons may well be different on different sites.

So pick the site you most care about and focus on that (or pick a random one if you dont have a preferance;).

Some initial questions:

* Does the site use authentication?

* Do the 2 spiders find similar pages?

* Can you tell if its a modern web app?

* If you launch the ajax spider using a non headless browser can you see which links it is failing to follow?

As for alternatives, proxying regression tests through ZAP is always a good option, if you have any. You can do that before running the spiders to seed them more effectively.

You can also import APIs is you have a definition for them in OpenAPI/Swagger, SOAP or GraphQL...

Cheers,

Simon