Hi all, hope you can help me.
# 3. Editing the script
The script recorded a lot of steps which seem not important, so I edit the script, deleting some of the steps.
So for example this is how the script looked like at first:
After my edit it looked like this:
So the script comprises of:
1. GET request
2. POST request
3. 2x GET request
Note that I also added Sleep for 30 seconds, because sometimes it takes longer for the login to appear:
Probably not needed? But I am not sure, at least I think It will not do any harm, so I keep it there, if you think it might be causing problems I will remove it.
Anyways, this is my completed script.
# 4. Adding script to context as a script based authentication
After this, I add the script as a script based authentication for my created context in the following way:
After this I set up all the required stuff in the prompt as follows:
I do not set users as this data should be passed in the script (or atleast I belive thats what is happening), because when I look at the ZEST script I can see the data being passed in the POST request:
``` json
"data": "{\"email\":\"myn...@myemail.test\",\"password\":\"myreallystrongpassword\"}",
```
Because of that, I also leave Forced user mode disabled. If this is wrong, please let me know and I will add user as well.
After this I just click OK and believe that the script is added.
# 5. Running the spider
After all the prerequisites are done, I proceed to run the spider on my defined context as follows:
Initially I had a lot of Out of context results, so I also added the following expression into the Context:
``` plaintext
https:\/\/gutnertest.juno.one\/[\w\W]*
```
So my Include in context looks like this:
Now it is scanning some things, and it looks like this:
However it still does not pick up some URLs like:
# My questions
So my questions are:
Have I set up everything correctly? Is there something that should had been set up differently?
Am I really authenticated when spider is running on the website? How can I find out?
Why did the spider not pick up all the URLs (like the example above)?
If I wanted to set this up to run in docker, would it be enought just to pass the context file I just created?
Thank you very much, I would be helpful for any insight, please let me know if you need any additional information and I will supply it.
I am also new to OWASP ZAP and the forum, so please be patient with me :)
Thank you very much