Investigate why ZAP does not report more findings for WebGoat
ZAP does not report many findings for WebGoat 8 https://gitlab.com/gitlab-org/security-products/dast/-/jobs/178432066. (Note that the test run was in passive mode, so it is expected that many of the vulnerabilities in WebGoat are not reported in this particular test run)
From looking at the logs, it looks like ZAP did not spider most of WebGoat. I assume the reason is that WebGoat is loading HTML content async and ZAP does not execute javascript. If this is the case, we should investigate if we can use ZAP's ajax crawler https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts
Customers
Edited by Fabio Busatto