On injection scanners, can static assets be filtered out by default for efficiency?
16 views
Skip to first unread message
Postoronnim
Nov 6, 2025, 4:42:36 PMNov 6
to ZAP User Group
IMHO, it would be very helpful to the user universe to drop static assets from the scope by default for injection scanners carrying attack payloads in the URL.
For example
`https://base_url/main.js?bla&bla`.
The server will strip the params and serve the js file, with no chance of the payload being processed by the application, this request becoming a waste of time.
Another story would be an API endpoint for `https://base_url/main` where the backend will process the parameters if it's an existing endpoint. In this case, a default to exclude .js files would not skip this.
Thanks
For example
`https://base_url/main.js?bla&bla`.
The server will strip the params and serve the js file, with no chance of the payload being processed by the application, this request becoming a waste of time.
Another story would be an API endpoint for `https://base_url/main` where the backend will process the parameters if it's an existing endpoint. In this case, a default to exclude .js files would not skip this.
Thanks
Simon Bennetts
Nov 10, 2025, 8:05:01 AMNov 10
to ZAP User Group
How can we be sure they are static?
So many apps work in so many different ways that we generally stear away from making assumptions like that.
Instead we make ZAP indredibly flexible and configurable, so you can configure ZAP to exclude all of the assets that you are sure are static in your environment.
Also, if we do exclude them by default, we will still need a way for people to include them if relevant for their apps.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages