ZAP modes

[sugaobilboa]

Hi, I am aware that ZAP uses different modes: Standard, Protected, Attack...

I have some doubts.

1) If I go to Quick Start -> Automated Scan -> type an URL and click "Attack", is it implict that I am going to use Attack mode, even against other URLs?

2) Is adding an URL to a context same as adding to a scope? Ot are they different actions?

From https://www.zaproxy.org/docs/desktop/start/features/scope/:

"It is recommended that you define a new Context for each web application that makes up the system you are testing, and set them in scope as you test each one"

Thank you!

[psiinon]

Replied inline:

1) If I go to Quick Start -> Automated Scan -> type an URL and click "Attack", is it implict that I am going to use Attack mode, even against other URLs?

No, ZAP will only attack what you tell it to attack.

Note that the AJAX spider and the DOM XSS scan rule work by launching browsers.

The browsers will potentially request URLs from other sites, as they would if you openned the URLs manually in a browser.

Those sites will appear in the Sirtes tree, but that does not mean ZAP has attacked them.

 

2) Is adding an URL to a context same as adding to a scope? Ot are they different actions?

From https://www.zaproxy.org/docs/desktop/start/features/scope/:

Kind of.

By default all contexts are in scope.

But you can change a context to not be in scope it you want.

Cheers,

Simon

 

"It is recommended that you define a new Context for each web application that makes up the system you are testing, and set them in scope as you test each one"

Thank you!

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/9019bfe1-8efc-4d70-8f54-387b48928d18n%40googlegroups.com.

--

OWASP ZAP Project leader

[francesco politi]

Thank you very much!

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/N5hGPclrW-E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAORxfg5704syckYQdze-6KaqxfaZu%2B_RQiyWYUAN2Pt5BKrYkw%40mail.gmail.com.