ZAP authenticated scan without locking out the test user
I'm trying to set up an authenticated scan for a webapp, lets say admin.example.com. The authentication is done by a different service login.example.com through a JSON AJAX call. After successful authentication, the login.example.com would set two cookies, a JWT access token and a refresh token for the whole *.example.com domain. My problem is, if I include the login.example.com endpoint into the scan context, ZAP begins to test the JSON request parameters, and locks out the test user before it can authenticate, on the other hand if I exclude login.example.com from the scanner, there will be no authentication attempt at all. My desired solution would be to only use login.example.com for authentication with the defined credential, no bruteforce, no parameter tampering, no magic, and then scan admin.example.com with the valid session. Is it possible to configure this somehow?
