Preventing Logout Button Click During spiderClient Scan in ZAP GUI

30 views

Skip to first unread message

LINTO

unread,

Jun 30, 2025, 5:47:39 AMJun 30

to ZAP User Group

Hi everyone,

I'm using the ZAP Automation Framework via the ZAP GUI to run a spiderClient scan on OWASP Juice Shop.

The scan is authenticated using browser-based login, and it successfully reaches the dashboard at:
http://localhost:3000/#/search.

However, during the spiderClient crawl, I notice in the logs that ZAP clicks the Logout button. This action clears the authentication token (likely from localStorage), resulting in the session ending prematurely. ZAP then continues scanning in a logged-out state.

What I’ve Tried:

I added regex patterns like .*logout.* to the context's excludePaths, but this did not prevent the logout button from being clicked.

My Question:

How can I prevent the spiderClient from clicking the Logout button during the scan using the ZAP GUI and Automation Framework?

Is there a way in the GUI to configure XPath filters or element exclusions for spiderClient, or another recommended approach?

Thanks

Simon Bennetts

unread,

Jul 1, 2025, 11:07:13 AMJul 1

to ZAP User Group

Hiya,

See https://www.zaproxy.org/docs/testapps/juiceshop/ :D

Cheers,

Simon

Reply all

Reply to author

Forward

0 new messages