Hi,
I am using ZAP on my web application and the tests are authenticating as a user. Fairly early on in the scan its finding the user’s account page and it’s changing the password and, being an administrator, it can also find the settings for the group that that user account is in and marks it as disabled. So the account is getting blocked in a couple of ways, and will impact the tests that ZAP then does after this as it can no longer reach certain pages.
This must be a common problem and I just wanted to check
that my expectation of how you deal with this is correct. I’m thinking that I need to craft a set of
regular expressions that will block ZAP from POSTING back to the pages that
can, for example, change their password.
When there is a page that can edit multiple things is there
a way of allowing ZAP to post back from it but exclude certain values from
being changed? So, for example, on the
user’s group page it could edit the group’s name but not mark it as disabled.
Thanks for any assistance or comments,
Mark