Is Attack mode can perform both Spider and Active Scan activities

Skip to first unread message

Tejababu Atluri

Jul 4, 2022, 12:21:45 PMJul 4
to OWASP ZAP User Group
Hi There,

I am using  ZAP for doing a security Scan.
I assumed I can identify all URL's in my application in a single shot by using Spider and I can scan by using Active Scan. I have configured ZAP in such a way by using CONTEXT and SCOPE. As per my requirement, integrated third-party services like social authentication, email/payment servers, etc., should be excluded from ACTIVE scanning.
But I couldn't able to scan and attack the entire application in a single go.

Instead of the above approach, I am thinking to use ATTACK mode with exported Context in the page-by-page manual approach. I am thinking to visit all the pages in my application one after another, hope ATTACK mode will identify and scan all elements on each page that I visited.

I need your help to get answers to the below questions, 
1. Is ATTACH mode made a scan like SPIDER and perform attacking like ACTIVE scan?
2. Is there any better/suitable approach to meet my requirement? 

Many thanks in advance!

Simon Bennetts

Jul 6, 2022, 4:36:51 AMJul 6
to OWASP ZAP User Group
I must admit that I've always considered Attack Mode to be a manual tool and not so relevant for automation.
Attack Mode does not do ANY exploring - you need to do that, either manually, by proxying tests, spidering, importing API definitions etc.
Attack Mode will attack any new nodes added to the Sites tree by any mechanisms as long as they are in scope.
It is actually no different from exploring the application first and then active scanning.
I can see that it could be useful if you have a large number of sites which you want to active scan, but I would still recommend exploring an app first and then running the active scanner in most cases where you want to automate these things.


Reply all
Reply to author
0 new messages