The problem I can't configure my OWASP ZAP application to log in and Scan the pages which require authentication.
My page is the built in Django admin page.
I've recorded a script following the instruction from this page: https://www.coveros.com/scripting-authenticated-login-within-zap-vulnerability-scanner/
The script can log in.
I've set it as Script-based Authentication
Login URL : http://127.0.0.1:8000/admin/ Method: POST
Logged in indicator regexp: \Qlogout\E Logged Out indicator regexp: \Q/admin/\E
I'm not sure if it is a must to add the user, but I've added it.
Session Management: Cookie Based (tried it with HTTP based as well )
When I click on Attack Scan/Spider, the scanned pages are only which do not require authentification. Eg.: The /admin/logout/ page is not discovered
Please let me know what am I doing wrong?
Thanks