Ajax Spider scan not crawling

Mareeswaran Nagendran

unread,

Feb 27, 2026, 2:50:32 AM (12 days ago) Feb 27

to ZAP User Group

Hi Team,

I am testing an application; it is using 2-way authentication (MFA). Login page is a pop up windows. In the first page, it will ask policy Id and password and in the second page it will ask for Mobile OTP.

I am having custom script to simulate the MFA. Issue here Ajax Spider scan is crawling any pages. Application is having Authenticated path and unauthenticated path. Even it is not crawling to the unauthenticated path.

Please give inputs why it is not crawling? any configuration needs to be done?

Below is the Application Tool Stack:
Application Development: React.js, TS, Redux/RxJs, RTL/Jest, Node.js
BFF services: Java SpringBoot
Integration Services: Software AG
Mobile Apps (iOS and Android): ReactNative, Redux, Jest, Firebase
Database: MySQL, Redis for cache
CMS: Drupal 9.x
API Gateway: Software AG

Thanks,
Marees.

Simon Bennetts

unread,

Feb 27, 2026, 5:29:57 AM (11 days ago) Feb 27

to ZAP User Group

Hi Marees,

ZAP supports TOTP, via both Browser Based Authentication and client side Zest scripts.

Use the Authentication Tester - it now supports both browser based and client scripts:

This will allow you to test authentication is isolation, and you will be able to see exactly what the browser does.

Try that out and let us know how you get on.

Cheers,

Simon

Mareeswaran Nagendran

unread,

Feb 27, 2026, 8:07:21 AM (11 days ago) Feb 27

to ZAP User Group

Hi Simon,

Thanks for getting back to me. As suggested, let me test the authentication alone with the approach and get back to you.

OWASP ZAP can scan complex application. Below is the Application Tech Stack of the application that I am testing. Please check and let me know, can I able to scan the application with OWASP ZAP?

Application Development: React.js, TS, Redux/RxJs, RTL/Jest, Node.js
BFF services: Java SpringBoot
Integration Services: Software AG
Mobile Apps (iOS and Android): ReactNative, Redux, Jest, Firebase
Database: MySQL, Redis for cache
CMS: Drupal 9.x

API Gateway: Software AG

Thanks,

Marees.

Simon Bennetts

unread,

Feb 27, 2026, 8:31:57 AM (11 days ago) Feb 27

to ZAP User Group

The technology really doesnt matter - ZAP can scan anything with an HTTP(S) interface.

However see https://www.zaproxy.org/docs/getting-further/is-my-app-testable/

Also, ZAP has not been an OWASP project for over 2 years now ;)

Cheers,

Simon

Mareeswaran Nagendran

unread,

Mar 1, 2026, 11:55:45 PM (9 days ago) Mar 1

to ZAP User Group

Hi Simon,

I tested MFA authentication via Authentication Tester via client script. I recorded the authentication navigation (ID and Password followed by Mobile OTP). I did Test using that recorded session. It reported status as Failed. With this, I attached screenshot.

Thanks,

Marees.

On Friday, February 27, 2026 at 3:59:57 PM UTC+5:30 psi...@gmail.com wrote:

image (2).png

Simon Bennetts

unread,

Mar 5, 2026, 7:58:52 AM (5 days ago) Mar 5

to ZAP User Group

Hi Marees,

Right now the Authentication Tester does not really support TOTP with a client rercorded script.

ZAP does support that option, but the tester doesnt.

If you want to use the tester then you will need to use Browser Based Authentication with steps.

Alternatively you can create an automation framework plan which will test TOTP.

If you're not clear on how to proceed then just say and we can point you in the right direction.