Passive Crawling/Spidering

[Mel Probe]

Hello,

I'm new to using zap and I can't find any guides or documentation about passive crawling. I can only find passive scanning.

Is there a feature where I can passively crawl a page? That means whenever I visit a web page, every links in that web page will be automatically added to the sitemap without actually visiting the link itself. 

Thank you

[Simon Bennetts]

Yes, in ZAP we call that spidering.

Have a look at the Quick Start Guide: https://www.zaproxy.org/getting-started/

There are also loads of videos on https://www.zaproxy.org/videos-list/

Cheers,

Simon

[Mel Probe]

Hi Simon,

What I mean is that, if there is a feature where I will combine Spidering + manual browsing without actually running the Spidering itself. If I remember correctly, whenever the Zap Spider starts it produces requests to the server, which is pretty much dangerous for links that can delete user data without prompting the admin or something similar (i would like to prevent that from happening).  I was thinking similar features to burp passive crawling where it just parses any links in the current page without actually visiting it.

Also I like the zap deep dive series Simon, I've learned alot about zap on it. Cheers.

Thank you,

[Simon Bennetts]

The spider will follow links, so if you perform and authenticated spider and your app will allow that user to delete user data without prompting for confirmation then yes, that is a real danger.

We dont currently have a feature to passively add URLs to the Sites Tree but that should be possible using a script passive scan rule - they have access to a representation of the DOM and so should be able to extract URLs...

Cheers,

Simon

[Simon Bennetts]

Having said that, some parts of ZAP such as the active scanner will expect valid requests and responses, so I dont think its going to be trivial to get right...