Worth noting that passive script scan rules (and Java for that matter)
can opt-in to scan any history type, not just proxied/spidered.
Best regards.
On 11/09/2022 23:27, kingthorin+owaspzap wrote:
>> *I'm new to creating my own script and as I was trying it on a website *
>
> Your own script for what? The posts seems to suggest either a passive or
> active scan rule, but maybe not.... Really not clear.
>
> So there's a bunch of things here.
>
> First, yes passive != active. As you can learn any number of places (the
> Getting Started guide, ZAP's help, numerous blogs etc.) passive scan rules
> (and scripts) run on Proxied and Spidered traffic (optionally on Fuzzed
> traffic).
> Active scan scripts run during .... you guessed it .... Active Scan.
>
> Neither of those script types are user runnable, which makes your second
> post very confusing. "*... so I deleted the alert and run my python script *
> "
>
> Maybe you meant a ci or automation script all along, but we have no idea.
> Anyway the answer to your question "*Is this normal?*" seems to be yes,