OWASP ZAP - 2 beginner questions

Question

I am starting with OWASP ZAP. After configure the proxy, and "capture"the web http://webscantest.com/ in OWASP ZAP, I do an "Spider" attack

Spider1

Then, in the website map, I do not find the folder "shutterdb" (which exists), why?

Spider 2

On the other hand, I try to do a fuzzing in the URL http://webscantest.com/login.php : Right click in the request window, text "passwd=ZAP"

fuzz1

and add the Playloads and click on "Start Fuzzer"

fuzz2

We results show "Code 302, Reason Found" but 0 bytes in response size and nothing in "Status"...What means this?

fuzz3

Many thanks in advance for your comments.

Answer 1

The Spider basically identifies all the hyperlinks in the page and adds them to the list of URLs to visit and the process continues recursively as long as new resources are found. https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider

Meaning that even if 'shutterdb' resource exists, it will not be found by the spider if there is no hyperlink pointing there.

About the 302 response, it is the HTTP status code for URL redirections https://en.wikipedia.org/wiki/HTTP_302

302 Found redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location header (/login.php)

HTTP/1.1 302 Found
Date: Mon, 25 Mar 2019 07:57:41 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: login_error=Bad+user+name+or+password; expires=Mon, 25-Mar-2019 09:57:41 GMT; Max-Age=7200
Location: /login.php
Content-Length: 0
Connection: close
Content-Type: text/html
Set-Cookie: NB_SRVID=srv140717; path=/