Running headless zap on a https://domain.com/abcd not staying in directory and starts from base domain

[Ofir Traubas]

when running headless zap zap-full-scan.py scan on https://domain.com/abcd/efg

i want it to stay in the scope of the directory and onward but it starts from the domain instead.

like it scans https://domain.com and crawls it from start instead from /abcd/efg.

not sure what am i doing wrong. 

I'm using the default scan configurations from the docs.

can anyone enlighten me? 

Thanks,

Ofir

[Ofir Traubas]

OK found the issue.

When runnin zap-full-scan.py if you look at the code there are 2 sections - 1 before the spider and 1 before the active scan - 

it changes the target to the original host or domain without the trailing directories. it strips the "/" if there are more than 2 (which are the original of the https://)

It's strange since this behaviour is different when i'm running in the UI. 

[kingthorin+zap]

It isn't an "issue" it's by design. It's called "full" for a reason.

If the packaged scan scripts aren't giving you enough control then you can use an Automation Plan or control ZAP via the API.

https://www.zaproxy.org/docs/automate/