Is Baseline Scan safe and harmless?

[Ro L]

Hello!

I am a beginner in IT security. I have recently tested Owasp Zap Baseline Scan Action in Github, to see how it works on a project pipeline, and started researching about it a bit more. 

1) I noticed that, on the Baseline Scan README file, it says that the target could be a publicly available web application, but it does NOT have the same warning that Zap Full Scan has about we only being able to scan targets that we have permission to test.

 

2) I have also seen that Baseline Scan runs the ZAP spider for 1 minute and then waits for the passive scanning to complete, and does NOT perform any actual 'attacks'. 

 3) Finally, I saw the faq question in zaproxy website, where it explains that passive scanning is completely safe and legal against a live website, but spidering is a bit more dangerous, and could cause problems.

So, considering all this, I have a few questions: is baseline scan safe and legal to be used targeting third-party applications, since it does not have a warning, and does not perform actual 'attacks', but still uses a spider?  If so, why is the spider in baseline scan safe compared to a spider that could cause damage a live website? 

Thank you for the attention!

[kingthorin+owaspzap]

"Legal" depends where you live. We are not lawyers, if you're worried you should consult one.

You should never scan or test something that you do not have permission to scan or test.

The spider will visit pages, submit forms etc. Which could causes business nuisance issues (like submitting "Contact Us" or nonsense "Orders" repeatedly. However, it does not try any actual security testing payloads (XSS, SQLi, etc). So "safe" is relative.

Basically if you don't know what you or your tool are doing, don't use it against things that aren't yours. Pretty simple.

[Ro L]

Right. I see, and I completely agree with that. Thank you very much for your answer! :)

It was very helpful, I do understand better know why spiders could cause nuisances. 

My question is more of a curiosity about the Baseline Scan tool, I wanted to know specifically how the spider in ZAP Baseline Scan works by default (does it not use POST methods, or does it use safe mode, or something else that differentiates it from the Full Scan spider, besides the duration?). And this curiosity is because of what I mentioned in 1 and 2.

Anyway, thank you.

[kingthorin+owaspzap]

It's not the spiders that make the difference. The spider does the same thing in both cases. It's that full scan also does an active scan which tries potentially malicious payloads.

[Ro L]

Right. Thanks for the explanation!!

And congratulations to all of you for this amazing project!