Include URLs found by Ajax Spider in DAST report
Follow-up issue from #13209 (comment 238224680):
One thing I've noticed is that URLs that are picked up by the ajax spider are not included in
urlsInScope
in the DAST report. In theory, a single URL may have been accessed more than once. For example, a URL could be called in the normal spider, the ajax spider, and then the active scan. Do you have any suggestions/direction on what we should do here?
The API endpoint for pulling the URLs found by the ajax spider is different than from the normal spider. See https://github.com/zaproxy/zaproxy/wiki/ApiGen_ajaxSpider. I suggest to query the ajax spider endpoint and add the returned URLs to the DAST report.
Edited by Dennis Appelt