hi there,
I am using active scan on ZAP for my web application.
There is a known path traversal vulnerability for a URL on my web application. When I run the active scan ( specifically i test for the path traversal), in the sent messages I can see that tons of messages are sent, including one of the path traversal case that i wanna test
for example: ../etc/passwd
However, ZAP didn't add this into the "alerts". the response of my web application is a customized body message like "error: "true" . I check the source code PathTraversalScanRule.java, and it seems it didn't get the alert triggered by this type of body massage.
I am thinking if I should modify the PathTraversalScanRule.java file and rebuild the ZAP to fit my need. or is there an easier way to do this without building a ZAP dev ?