'Only scan messages in scope' not working

40 views
Skip to first unread message

Patrick Morph

unread,
Oct 30, 2024, 7:04:16 AMOct 30
to ZAP User Group
Hi, I do not seem to be able to limit  my passive scan to my scope.

I have created a Context containing URLs for my frontend and backend that I wish to test and removed Default Context from scope. I have checked 'Only scan messages in scope' in Options, but I am still seeing requests in the History window from various unrelated sites, including another site we own which I am using to test.

In the list of Sites the site I have selected to be part of the context is indicated with the bulls-eye icon, but a bunch of other sites are detected too.

I'm sure this should be working from what I've read around the internet.

Thanks for any help,
Patrick

Simon Bennetts

unread,
Oct 30, 2024, 9:06:54 AMOct 30
to ZAP User Group

Patrick Morph

unread,
Oct 31, 2024, 5:40:10 AMOct 31
to ZAP User Group
Hi Simon,

Thanks for the response. I appreciate the point regarding "call homes" etc, I may have missed that. But I am definitely seeing requests from sites that out outside this definition. For example, if I have added siteA.com as context, and then visit example.com in my browser. I feel shouldn't see requests relating to example.com as it a totally different site, not a "call home" or an off-domain resource?

Thanks,
Patrick

Simon Bennetts

unread,
Oct 31, 2024, 7:27:46 AMOct 31
to ZAP User Group
Hi Patrick,

You are using ZAP as a proxy, so ZAP shows everything that is proxied through it.
This can be very useful, e.g. if your browser is making unexpected calls to other domains because your app is including external scripts you are not aware of.
You can choose to only report on "in scope" issues if you like.

Cheers,

Simon

Patrick Morph

unread,
Oct 31, 2024, 8:21:42 AMOct 31
to ZAP User Group
Hi Simon,

So even though I have defined my front and back end url as in Context and checked "only scan messages in scope", I will still see everything in my history tab because all requests are being proxied through it. That does make sense, but I would have thought that given the check it would ignore requests unrelated to my scope at this point.

What is "only scan messages in scope" being checked actually doing then? Does it only apply to active scans, since I can still see the requests in history? I suppose there may be a difference in scanning a request vs intercepting and simply allowing the user to view the request, and that was the point I was missing. Does this sound correct?

Thanks,
Patrick

Simon Bennetts

unread,
Oct 31, 2024, 10:05:17 AMOct 31
to ZAP User Group
Hi Patrick,

The 'only scan messages in scope' is part of the passive scan config, right?
You should not be seeing any passive alerts from out of scope URLs.
Thats different from the Sites Tree. That shows all of the requests that have been proxied through ZAP.
ZAP is _very_ modular, each part has its own "job" and its own confuguration :)

If you dont want to see out of scope URLs in the ZAP desktop then you can select the "Show only URLS in scope" buttons in the Histiry and Sites Tree tabs.
If you have some other concern then please explain :)

Cheers,

Simon

Patrick Morph

unread,
Oct 31, 2024, 10:22:02 AMOct 31
to ZAP User Group
Hi Simon,

Thanks for helping me through understanding. I think I get it now!

"The 'only scan messages in scope' is part of the passive scan config, right?" - Yes.

You're right I'm not seeing alerts that are out of scope, but was seeing requests that out of scope. I thought that these would be hidden due to the "only scan" check, but they are not being scanned, they are simply being processed. The concern being that I did not want to accidentally scan the wrong sites if I leave my proxy on.

Thanks,
Patrick

Simon Bennetts

unread,
Oct 31, 2024, 11:14:16 AMOct 31
to ZAP User Group
Hi Patrick,

No problem.
ZAP will not attack anything unless you explicitly tell it to :)

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages