Correct Target Not in the Sites Tree

[Joe Cyb]

Hello,

I am a new ZAP 2.17.0 user and would greatly appreciate any help I can get.

I am trying to run a scan on a peculiar web application. The target URL looks something like https://target-app.example.com/app/section/?prefix=corporate&page= web%2Findex&sid=12345

I used both Spider and AJAX Spider but after crawling, the Sites tree only shows  https://target-app.example.com. The application is structured in a way that the root URL does not lead to the component I want to scan. 

I created a context and configured the authentication successfully. I have also manually included the actual target URL in the context.

How can I make ZAP recognize and attack the full URL (ending with sid=12345)?

Thanks!

[Simon Bennetts]

Hiya,

So how can you access your target app, if not via the root node?

You can specify that the full domain is in the context but start the spiders from a different (sub) URL.

Do you need to authenticate to the app?

Cheers,

Simon