Scanned URLs are not printed to the console when DASTs runner times out
Problem to solve
On completion of a DAST job all the URLs spidered by ZAP are printed to the jobs console. However, in the event that the DAST job takes longer than the runner timeout limit, these URLs will not be printed. To allow the user to better understand what DAST scanned in the event of a timeout, the spidered urls should be output to the console before the scan begins.
This issue came from #113
Intended users
Further details
There are wrap hooks provided by zaps python api. These are called at the end of a method in ZAProxy's zap_common.py methods.
Of interest I think are zap_spider_wrap and zap_ajax_spider_wrap. In the ZAProxy baseline/fullscan code, the zap spider is triggered first, and then the Ajax spider is triggered if enabled. We want all of the spidered values, so in theory we would have to hook into the appropriate wrap hook depending on whether or not Ajax scans are enabled.
API scans are also something to consider, because I believe we should be printing out URLs that are found in the API specification. I don't believe there is a hook for this, so in future we will have to add one and hope ZAProxy is willing to merge it.