I ran a basic unauthenticated scan using Standard policy against zero.webappsecurity.com, completed in 40mins.
What puzzeled me is that when looking at the Sesssion Tree, almost all identified session are duplicated, check screenshots.
It seems that those sessions were identified/discovered through different paths, i.e. following different links.
Is this behaviour expected?