Difference among 1) active scan all in scope 2)Active scan site 3)spider all in scope and in site
697 views
Skip to first unread message
Tanu Mukherjee
Jul 7, 2014, 7:22:16 AM7/7/14
to zaprox...@googlegroups.com
Hi,
I have used Zap tool and currently have few doubts regarding some functionalities.
First, Whats the difference between active scan all in scope, scan site, spider all in scope and spider site. I am able to create the tree of the webservices testing that I have done but I dont know whether to attack it in active scan mode or spider mode.
Secondly, after scanning (with active scan and spider mode as well), the report that is generated is different or same?.(for active scan and spider)
Simon Bennetts
Jul 7, 2014, 7:31:42 AM7/7/14
to zaprox...@googlegroups.com
Hi Tanu,
Have a look at the Getting Started Guide to understand the difference between spidering and active scanning.
The is some information about scope in the user guide, which is included with ZAP and also online: https://code.google.com/p/zaproxy/wiki/HelpStartConceptsScope
You should only scan/spider "in scope" if you have defined some contexts, otherwise nothing will be in scope and the scans will not do anything.
I think of the 'in scope' operations as being more useful when using ZAP manually, but others may disagree :)
You will typically want to explore you application first, either manually or using the spider.
A report generated at this point will just include alerts found by passive scanning.
You will then probably want to use the active scanner, after which the report will also contain alerts that the active scanner finds.
Does that make sense?
Simon
Have a look at the Getting Started Guide to understand the difference between spidering and active scanning.
The is some information about scope in the user guide, which is included with ZAP and also online: https://code.google.com/p/zaproxy/wiki/HelpStartConceptsScope
You should only scan/spider "in scope" if you have defined some contexts, otherwise nothing will be in scope and the scans will not do anything.
I think of the 'in scope' operations as being more useful when using ZAP manually, but others may disagree :)
You will typically want to explore you application first, either manually or using the spider.
A report generated at this point will just include alerts found by passive scanning.
You will then probably want to use the active scanner, after which the report will also contain alerts that the active scanner finds.
Does that make sense?
Simon
Basu Hunasikatti
Apr 22, 2016, 7:57:21 AM4/22/16
to OWASP ZAP User Group
Reply all
Reply to author
Forward
0 new messages