Clarity on ZAP Active Scan

[Mike Z]

Hello! First time active ZAP scan, was using on a project for school and realized that halfway through the scan the URL from the application my team was working on seemed to switch from the site I am intending to scan to firefox services and whatnot (will provide picture). Is this normal? I paused the scan as soon as I realized, definitely want to make sure that this is an intended function and it did not somehow drift into scanning any kind of mozilla internals. No intention here to step outside legal boundaries.

Thank you in advance!

[thc...@gmail.com]

Hi.

Those URLs are not being actively scanned just accessed, that's from the
browser used by DOM XSS scan rule.
https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/

There's an issue to address that:
https://github.com/zaproxy/zaproxy/issues/7746

Best regards.

[Simon Bennetts]

ZAP is not attacking Mozilla internal systems :)

The DOM XSS scan rule works by launching browsers, by default Firefox.

The requests you are seeing are standard requests made by Firefox, not attacks from ZAP.

Cheers,

Simon

[Mike Z]

Thank you!

[Juergen H]

Hi there,

I have a similar question, probably due to the same reasons?
When I did an active scan and it finished, in the resulting list of alerts there were also URLs flagged, which I did not choose to scan.

Most if not all of them were pointing to something with google, e.g. csp.withgoogle.com, googleanalytics stuff and the like.

I only wanted to scan my target host, nothing else.

Any explanation about how those google urls made it to the list of alerts?

Another question:
In the "standard" mode, if I scan a target url, would ZAP automatically scan other second-level domains, e.g. by following links it finds in my target?

In the docu, there's some explanation that in the "attack" mode, it would automatically scan "nodes", as soon as they are found.

What exactly is a "node" in this context? Any other directory on the same second level domain? (which could be kind of OK sometimes), or would it scan different second level domains, too?

I would like to use ZAP's active scan but also am afraid of potential destruction this could cause, expecially when scnaning "random" domains, other than my targets..

Thanks a lot for clarifications!

Cheers

Juergen

[Simon Bennetts]

Hi Juergen,

The explanation is passive scanning.

By default ZAP passively scans all of the requests it sees.

You can change that by defining a context and changing ZAP to "Only scan messages in scope": https://www.zaproxy.org/docs/desktop/ui/dialogs/options/pscanner/

A node is a node in the Sites Tree: https://www.zaproxy.org/docs/desktop/start/features/sitestree/

ZAP will only attack sites you explicitly tell it to attack - it will NOT attack other sites.

Cheers,

Simon

[Juergen H]

Hi Simon,

thanks a lot and sorry for the late reply and the explanations!

Did not check the group directly, but checking my mails.

For some reasons, some of the group's mail (including yours) were in the spam folder, which I do not check frequently.

Good to know that I can keep using OWASP Zap to only scan the intended targets ;-)

Cheers,

Juergen