On injection scanners, can static assets be filtered out by default for efficiency?
3 views
Skip to first unread message
Postoronnim
Nov 6, 2025, 4:42:36 PM (9 hours ago) Nov 6
to ZAP User Group
IMHO, it would be very helpful to the user universe to drop static assets from the scope by default for injection scanners carrying attack payloads in the URL.
For example
`https://base_url/main.js?bla&bla`.
The server will strip the params and serve the js file, with no chance of the payload being processed by the application, this request becoming a waste of time.
Another story would be an API endpoint for `https://base_url/main` where the backend will process the parameters if it's an existing endpoint. In this case, a default to exclude .js files would not skip this.
Thanks
For example
`https://base_url/main.js?bla&bla`.
The server will strip the params and serve the js file, with no chance of the payload being processed by the application, this request becoming a waste of time.
Another story would be an API endpoint for `https://base_url/main` where the backend will process the parameters if it's an existing endpoint. In this case, a default to exclude .js files would not skip this.
Thanks
Reply all
Reply to author
Forward
0 new messages