HEEELP constant updating of the website!!!

[Robert]

Hello everyone, I’m a novice tester on a cryptocurrency exchange site. Some time ago, I needed to test my site using ZAP, but I ran into a problem: as soon as I start scanning, issues arise. As I noticed during manual testing with ZAP, the site constantly refreshes. I tried setting authorization headers with a token, but for some reason, the site doesn’t seem to respond to them. This might be related to the Custom Vectors section, which is filled out for some reason, but I can't delete the information there. The funny thing is that BurpSuite worked immediately, but it’s a paid application, so I just scanned the site structure without actually performing any security tests. Please help me; I’ll try attaching screenshots of what’s happening. If possible, here’s the site: https://skycapital.group/ru — this is the production version, but there’s no difference.

Please help me, I don't know what to do anymore.

[Simon Bennetts]

Hiya,

It looks like this site is protected by authentication, which is not at all unusual.

Just specifying the authorization headers is usually not enough, see https://www.zaproxy.org/docs/authentication/

Can you explain exactly what you are doing for manual testing - there are many ways to use ZAP :) 

Details metter, so please give us as much info as you can...

Cheers,

Simon

[Robert]

Hi again, sorry for not replying earlier. Regarding your question "How am I testing?", at the moment I'm unable to test the website because I can't access it. When trying to access the site manually through manual exploration, I see that the page keeps refreshing and yes, it has authentication protection.  
With automated testing, the same issue occurs — there are too many 401 errors.  
I've tried adding an authorization token via Replacere, and also tried creating a context. But for some reason, that doesn't help. Recently I noticed that ZAP itself is inserting some non-existent token, as seen in "2 photos above in the conversation."  
Could you please advise what I should do? I haven't been able to delete the Custom Vectors section, which seems to contain incorrect data.  
Maybe I'm doing something completely wrong.  
Thanks in advance!)

вторник, 17 июня 2025 г. в 18:23:45 UTC+3, psi...@gmail.com:

[Simon Bennetts]

Ignore the Custom Vectors - that just shows you the selected request so that you can select specific strings to attack.

When you can access the site again start with manual exploration.

Are you using the HUD?

If so turn it off, that can cuase problems in some cases.

Launch your chosen browser from ZAP without the HUD enabled and access the site.

Does the page still keep refreshing?

If so try with both Firefox and Chrome, do they both behave in the same way?

Cheers,

Simon