Don't spider URLs excluded in `--auth-exclude-urls`

Summary

ZAP's spider and active tests seem to request the URLs that have been excluded in parameter --auth-exclude-urls. These should not be spidered/tested as it might invalidate the session.

What is the current bug behavior?

URLs specified in --auth-exclude-urls are spidered/tested.

What is the expected correct behavior?

URLs specified in --auth-exclude-urls should not be requested during spidering or testing.

Possible fixes

Findings from an initial investigation in gitlab-org/security-products/dast!24 (comment 187381250)

urlsOutOfScope is likely empty because it has an effect only in protected mode. ZAP Python API wrapper does not set the mode explicitly (no calls to set_mode in any of the wrapper scripts). And by default, the mode is "Standard".

As for --auth-exclude-urls, they are truly excluded by our code calls to ZAP API.

So, I'm not sure if they are actually being excluded right now - should be kept since it's Standard mode. We need to file a bug to fix that and enable the Protected mode to make it work.

Proposal

Always use a ZAP context, and use the context when spidering/testing. See #12554 (comment 218566092).

Edited Sep 18, 2019 by Cameron Swords