What is the different between Quick scan and Active scan ?
1,679 views
Skip to first unread message
Anuja Shah
Sep 28, 2017, 3:09:11 AM9/28/17
to OWASP ZAP User Group
If Quick scan does spider and active scan both then what is the need of doing individually active scan ?
Does quick scan crawl all the pages under the URL ? Means scan all the child pages of parent URL ? For ex: I have one URL : www.abc.com , if I write under same url in quick scan then does it scan in all the pages www.abc.com/career , www.abc.com/profile etc....
If yes then , why it takes less time compare to Active scan
What is the use of Spider attack. How does it help ?
Is there strategy that when we have to do quick scan or active scan? how we can identify ?
Please help me out .. I am confused ..
Simon Bennetts
Sep 28, 2017, 3:34:44 AM9/28/17
to OWASP ZAP User Group
Hi Anuja,
The Quick scan is just that - it is a quick way to get started with ZAP.
It runs the traditional spider on the URL you specify and then runs the active scanner.
The traditional spider (which is used by the Quick scan and can also be used independently) crawls all of the pages starting from the URL you specify.
The ZAP User Guide (which is included with ZAP and also online) may help explain these better:
The spider doesnt perform and attacks, its just one way to explore an application.
Have you read the Getting Started Guide? If not then I'd recommend doing so. Thats also included with ZAP and online here: https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf
The Quick start just runs the spider and active scanner with the default options.
Both these tools have lots of options, so if you want to use anything other than the default options then you'll want to run them individually.
If your application makes heavy use of JavaScript then you may well want to use the Ajax Spider for exploring your app.
ZAP can be used in lots of different ways.
The Quick Start page is really a 'point and shoot' tool - it ok for some applications but it will struggle with others.
You can use the tools like the Spider, Ajax Spider and Active scanner individually which gives you more control of them.
You can also use ZAP as a fully fledged pentesting tool using tools like the Fuzzer.
Does that help?
Cheers,
Simon
The Quick scan is just that - it is a quick way to get started with ZAP.
It runs the traditional spider on the URL you specify and then runs the active scanner.
The traditional spider (which is used by the Quick scan and can also be used independently) crawls all of the pages starting from the URL you specify.
The ZAP User Guide (which is included with ZAP and also online) may help explain these better:
The spider doesnt perform and attacks, its just one way to explore an application.
Have you read the Getting Started Guide? If not then I'd recommend doing so. Thats also included with ZAP and online here: https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf
The Quick start just runs the spider and active scanner with the default options.
Both these tools have lots of options, so if you want to use anything other than the default options then you'll want to run them individually.
If your application makes heavy use of JavaScript then you may well want to use the Ajax Spider for exploring your app.
ZAP can be used in lots of different ways.
The Quick Start page is really a 'point and shoot' tool - it ok for some applications but it will struggle with others.
You can use the tools like the Spider, Ajax Spider and Active scanner individually which gives you more control of them.
You can also use ZAP as a fully fledged pentesting tool using tools like the Fuzzer.
Does that help?
Cheers,
Simon
Anuja Shah
Sep 28, 2017, 4:09:30 AM9/28/17
to OWASP ZAP User Group
Thank you Simon
It helps me in a ton.
I will apply for same
Reply all
Reply to author
Forward
0 new messages