Google Security Crawl Maze is a comprehensive testbed for web security crawlers.
It is available online at https://security-crawl-maze.app/ and the GitHub repo is https://github.com/google/security-crawl-maze It does appear to be being actively maintained and has merged a fix that we submitted.
As long as one of the ZAP spiders finds the relevant page we count that as a pass, but ideally both spiders will find as many of the URLs as possible.
Changes which find any of the missed URLs for either spider are eligible for a bounty: see Issue #7152 for more details.
The latest Nightly ZAP Docker image is run with the default settings against this app with the following exceptions:
- The traditional Spider “maxDepth” is set to 10 to find the deeper links.
- The number of browsers launched by the Ajax Spider is set to 10 to speed up the crawling.