Gitlab DAST AUTH not waiting for page load to finish

I have noticed that DAST AUTH is not waiting for the whole page to finish loading. This is seen on the dast-auth-report as the page screenshot is shown with a spinner instead of the actual login form.

My angular code does a bunch of things after the first call is completed which can be seen on the network tab, like downloading css, js, font, index.html. Once all these are loaded, only then the spinner stops and form is loaded.

How do I get DAST AUTH to wait for the whole page to load with all the child calls to complete before looking for elements in the DOM.

    DAST_USERNAME_FIELD: "id:[id=username]"
    DAST_PASSWORD_FIELD: "id:[id=password]"
    DAST_SUBMIT_FIELD: "id:button[id=signinbutton]"
    DAST_AUTH_REPORT: "true"

Further details from DEBUG logs.

zap_server is invoking all the child URLs through a series of findAndAddChild Sites calls. Where I feel things going wrong is, there are approximately 20 odd calls that need to happen before the login form is successfully loaded. But it looks like the job is only waiting for an arbitrary 5secs before trying to get the HTML elements from the form. As I can see that the findAndAddChild calls are still going on the DEBUG logs even after the login attempt failed error. Which explains why I am seeing the spinner on auth debug report because the page hasnt really finished running.

Log snippet:

[zap_server] 14702 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites /
[zap_server] 14703 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild / GET:backgroundImage..jpg
[zap_server] 14714 [ZAP-IO-EventExecutor-3-2] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites /
[zap_server] 14715 [ZAP-IO-EventExecutor-3-2] DEBUG org.parosproxy.paros.model.SiteMap - findChild / assets
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - addPath
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findAndA
2024-02-15T09:16:42.628 INF AUTH  login attempt failed error="authentication failed: unable to find elements with selector: css:[name=username]"
2024-02-15T09:16:42.628 INF AUTH  writing authentication report path="/zap/wrk/gl-dast-debug-auth-report.html"
2024-02-15T09:16:42.858 INF AUTH  skipping writing of JSON cookie report as there are no cookies to write
2024-02-15T09:16:42.923 FTL MAIN  failed to initialize authentication runner: authentication failed: unable to find elements with selector: css:[name=username]
2024-02-15 09:16:42,931 Browserker completed with exit code 1
2024-02-15 09:16:42,931 BrowserkerError: Failure while running Browserker 1.Exiting scan
ddChild Sites /
[zap_server] 14724 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites /
[zap_server] 14725 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findAndAddLeaf / backgroundImage.jpg
[zap_server] 14726 [Thread-20] DEBUG org.parosproxy.paros.model.SiteMap - findChild / GET:backgroundImage.jpg
[zap_server] 14740 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild Sites /
[zap_server] 14741 [ZAP-IO-EventExecutor-3-3] DEBUG org.parosproxy.paros.model.SiteMap - findChild / GET:Font-Bold.woff
Running after_script

As I see, you’ve set both to 20s, which might still be insufficient for your application’s complete load cycle. Consider increasing these timeouts further based on the maximum time your application might take to load under normal conditions. Also, experiment with values to find a balance between wait time and effectiveness.