I have just recently started using Zed Attack Proxy(ZED) to check for OWASP vulnerabilities and I am trying to get it to scan my whole site. I have successfully got it to login as a user and scan from there but it stays on the main page after logging in. Is there a way to get it to scan the other pages throughout the website? Also, is there a way to test for specific vulnerabilities only or is it more of a broad scan of everything? I am still new to this software so any help is appreciated.
Thanks,
If you're still having problems crawling more than one page then let us know exactly what you are doing and what you see and we can help you from there.
ZAP includes a wide range of scanning rules which are categorized as either:
By default ZAP just included 'release' quality rules, but you can also download 'beta' and 'alpha' quality rules as well from the ZAP Marketplace: https://github.com/zaproxy/zap-extensions/wiki
ZAP has _very_fine grain control over the rules you run. You can run all of the rules, just one rule or any combination of them
You can also set the 'strength' of each rule (which roughly equates to how many requests they make) and the 'threshold' (whether they are more or less likely to report potential issues)
For more info see the help (included with ZAP and also online), eg:
Cheers,
Simon