I am using ZAP for doing a security Scan.
I assumed I can identify all URL's in my application in a single shot by using Spider and I can scan by using Active Scan. I have configured ZAP in such a way by using CONTEXT and SCOPE. As per my requirement, integrated third-party services like social authentication, email/payment servers, etc., should be excluded from ACTIVE scanning.
But I couldn't able to scan and attack the entire application in a single go.
Instead of the above approach, I am thinking to use ATTACK mode with exported Context in the page-by-page manual approach. I am thinking to visit all the pages in my application one after another, hope ATTACK mode will identify and scan all elements on each page that I visited.
I need your help to get answers to the below questions,
1. Is ATTACH mode made a scan like SPIDER and perform attacking like ACTIVE scan?
2. Is there any better/suitable approach to meet my requirement?
Many thanks in advance!