OWASP ZAP Scanning Options

Detailed configuration of scanning features in OWASP ZAP for effective vulnerability discovery

This guide provides detailed information on configuring and optimizing OWASP ZAP's scanning capabilities. Understanding these options will help you tailor scans to your specific needs, improve accuracy, and maximize effectiveness.

Scanning Types Overview

ZAP offers several scanning mechanisms, each with different purposes and configuration options:

Passive Scanning

Passive scanning analyzes HTTP messages without sending additional requests:

  • Automatic: Runs automatically on all traffic passing through ZAP
  • Non-intrusive: Doesn't generate additional traffic
  • Safe: Cannot modify application state

Key capabilities:

  • Identifying information disclosure
  • Detecting insecure headers
  • Finding cookie issues
  • Discovering content security policy problems
  • Detecting outdated libraries

Passive Scan Configuration

Passive scanning happens automatically but can be fine-tuned for optimal performance and results.

Global Passive Scan Settings

1
Access Passive Scan Options
  1. Go to Tools > Options > Passive Scanner
  2. This opens the passive scanner configuration panel
2
Configure General Settings
  • Scan Only in Scope: When enabled, only scans requests that are in scope
  • Scan Headers of All Requests: When enabled, scans the headers of all requests (not just HTML responses)
  • Scan All Tags: When enabled, scans all tags (not just those considered useful)
  • Max Alerts per Rule: Limits the number of alerts each rule can raise (useful to prevent alert flooding)
3
Manage Scan Rules
  1. Click on the Rules tab
  2. For each rule, you can:
    • Enable/disable the rule
    • Set the threshold (Off, Low, Medium, High)
    • Configure rule-specific parameters
  3. Use the Filter field to find specific rules

Passive Scan Rule Configuration

Information Gathering Rules

These rules identify information disclosure issues:

RuleDescriptionConfiguration
Application ErrorDetects application error messagesThreshold: Adjust to reduce false positives
Private IP DisclosureFinds private IP addresses in responsesNone
Server Leaks InformationDetects server information leakageNone
Timestamp DisclosureFinds timestamps in responsesThreshold: Adjust based on application
Username DisclosureDetects potential usernamesPattern: Add custom username patterns

Active Scan Configuration

Active scanning is highly configurable to balance thoroughness with performance and impact.

Scan Policies

1
Access Scan Policies
  1. Go to Tools > Options > Active Scan
  2. This opens the active scan policy configuration panel
2
Manage Existing Policies
  1. The default policy is always available
  2. Select a policy to view or edit its settings
  3. Click Add to create a new policy
  4. Click Remove to delete a custom policy
3
Create a Custom Policy
  1. Click Add to create a new policy
  2. Enter a name for the policy
  3. Configure general settings:
    • Default Strength: Overall strength of the scan
    • Default Threshold: Overall threshold for raising alerts
  4. Configure individual rules in the categories tabs

Rule Categories

Injection Rules

These rules test for various injection vulnerabilities:

RuleDescriptionStrengthThreshold
SQL InjectionTests for SQL injection flawsHigh: More test cases
Medium: Balanced
Low: Fewer tests		High: Fewer false positives
Medium: Balanced
Low: More alerts
Command InjectionTests for OS command injectionHigh: More payloads
Medium: Standard payloads
Low: Basic checks		High: Requires clear evidence
Medium: Standard evidence
Low: More suspicious patterns
LDAP InjectionTests for LDAP injection flawsHigh: Comprehensive
Medium: Standard
Low: Basic		High: Strict matching
Medium: Standard matching
Low: Loose matching
XPath InjectionTests for XPath injectionSimilar to aboveSimilar to above
NoSQL InjectionTests for NoSQL injectionSimilar to aboveSimilar to above

Active Scan Options

When starting an active scan, you can configure various options:

1
Access Scan Dialog
  1. Right-click on a target in the Sites tree
  2. Select Attack > Active Scan
  3. The Active Scan dialog appears
2
Configure Scan Scope
  • Starting Point: The URL to start scanning from
  • Recurse: When checked, scans all nodes under the starting point
  • Context: Select a context to use its configuration
  • User: Select a user for authenticated scanning
3
Configure Technology
  1. Click on the Technology tab
  2. Select the technologies used by the target:
    • Operating Systems: Windows, Linux, macOS, etc.
    • Databases: MySQL, PostgreSQL, Oracle, etc.
    • Web Servers: Apache, IIS, Nginx, etc.
    • Languages: PHP, Java, .NET, etc.
    • Frameworks: Spring, Django, Laravel, etc.
  3. This helps ZAP focus on relevant tests
4
Configure Input Vectors
  1. Click on the Input Vectors tab
  2. Select which elements to test:
    • URL Query String: Parameters in the URL
    • POST Data: Form parameters
    • HTTP Headers: Request headers
    • Cookie Data: Cookies
    • URL Path: Path components
  3. Configure how to handle specific input types
5
Advanced Options
  1. Click on the Custom Vectors tab to define custom input vectors
  2. Click on the DOM tab to configure DOM-specific options
  3. Click on the Options tab to set:
    • Inject plugin ID in header: Helps identify which rule generated a request
    • Thread per host: Number of threads per target host
    • Delay in milliseconds: Delay between requests
    • Max rule duration: Maximum time a rule can run

Spider Configuration

Traditional Spider Options

1
Access Spider Options
  1. Go to Tools > Options > Spider
  2. This opens the spider configuration panel
2
Configure General Settings
  • Max Depth: Maximum depth to crawl (default: 5)
  • Thread Count: Number of concurrent threads (default: 2)
  • Max Duration: Maximum running time in minutes (0 for unlimited)
  • Max Children: Maximum number of child nodes per node (0 for unlimited)
3
Configure Processing Options
  • Process Forms: When enabled, submits forms with default values
  • POST Forms: When enabled, submits POST forms (potentially modifying data)
  • Parse Comments: When enabled, looks for URLs in HTML comments
  • Parse robots.txt: When enabled, processes robots.txt for URLs
  • Parse sitemap.xml: When enabled, processes sitemap.xml for URLs
  • Parse SVN metadata: When enabled, processes SVN metadata for URLs
  • Parse Git metadata: When enabled, processes Git metadata for URLs
4
Configure Scope Options
  • Skip URL regex: URLs matching these patterns will be skipped
  • Handle OData-specific parameters: When enabled, handles OData parameters
  • Domain whitelist: Only follow links to these domains
  • Domain blacklist: Don't follow links to these domains

AJAX Spider Options

1
Access AJAX Spider Options
  1. Go to Tools > Options > AJAX Spider
  2. This opens the AJAX Spider configuration panel
2
Configure Browser Settings
  • Browser: Select which browser to use (Chrome, Firefox, HtmlUnit)
  • Browser arguments: Additional arguments to pass to the browser
3
Configure Crawling Settings
  • Number of browsers: Number of concurrent browser instances
  • Max crawl depth: Maximum depth to crawl
  • Max crawl states: Maximum number of states to crawl
  • Max duration: Maximum running time in minutes
  • Event wait time: Time to wait after an event is fired
  • Reload wait time: Time to wait after a page is reloaded
4
Configure Advanced Options
  • Click elements once: When enabled, clicks each element only once
  • Click default elements only: When enabled, only clicks on default elements
  • Random inputs: When enabled, uses random values for form inputs
  • Element wait time: Time to wait for elements to appear

Advanced Scanning Techniques

Scan Hooks

Scan hooks allow you to customize the scanning process programmatically:

// Example scan hook script
function scannerHook(helper, msg) {
    // Add a custom header to all active scan requests
    msg.getRequestHeader().setHeader('X-Scanner', 'ZAP');
    return true;
}

function alertFilter(helper, alertList) {
    // Filter out certain alerts
    var filteredAlerts = [];
    for (var i = 0; i < alertList.length; i++) {
        var alert = alertList[i];
        if (alert.getRisk() >= Alert.RISK_MEDIUM) {
            filteredAlerts.push(alert);
        }
    }
    return filteredAlerts;
}

To use scan hooks:

  1. Go to Tools > Options > Scripts
  2. Add a new script in the Scan Rules category
  3. Implement the required functions
  4. Enable the script

Custom Scan Rules

You can create custom scan rules to test for specific vulnerabilities:

Custom Passive Rules

// Example passive scan rule
function scan(helper, msg) {
    // Check if response contains sensitive information
    var body = msg.getResponseBody().toString();
    var url = msg.getRequestHeader().getURI().toString();
    
    if (/password|credential|token/i.test(body)) {
        helper.newAlert()
            .setRisk(Alert.RISK_MEDIUM)
            .setConfidence(Alert.CONFIDENCE_MEDIUM)
            .setName('Potential Sensitive Information Disclosure')
            .setDescription('The response contains potentially sensitive information.')
            .setUri(url)
            .setEvidence(body.match(/password|credential|token/i)[0])
            .raise();
    }
}

To add a custom passive rule:

  1. Go to Tools > Options > Scripts
  2. Add a new script in the Passive Rules category
  3. Implement the scan function
  4. Enable the script

Context-Specific Scanning

1
Create a Targeted Context
  1. Create a new context for your target
  2. Define include/exclude patterns precisely
  3. Configure authentication if needed
  4. Set up users for authenticated scanning
  5. Define technology scope to focus testing
2
Configure Input Vector Context
  1. Right-click on the context in the Sites tree
  2. Select Attack > Active Scan
  3. Go to the Input Vectors tab
  4. Select only the relevant input vectors
  5. This focuses testing on specific input types
3
Use Custom Scan Policy
  1. Create a custom scan policy for the context
  2. Enable only relevant rules
  3. Set appropriate strength and threshold
  4. This ensures efficient and targeted scanning
4
Execute Context-Specific Scan
  1. Start the active scan with the context selected
  2. Select a specific user if testing authenticated functionality
  3. Monitor the scan progress
  4. Review results in the context of the application

Performance Optimization

Optimizing Scan Speed

Active Scan Performance Tips

  1. Adjust Thread Count:

    • Increase thread count for faster scanning (Tools > Options > Active Scan)
    • Start with 5 threads per host and adjust based on performance
    • Too many threads may overwhelm the target or your system

  2. Focus Rule Selection:

    • Disable unnecessary rules for your environment
    • Create custom policies for different testing phases
    • Use technology filters to skip irrelevant tests

  3. Optimize Scan Strength:

    • Use lower strength for initial scans
    • Increase strength for targeted, in-depth testing
    • Balance between speed and thoroughness

  4. Target Input Vectors:

    • Disable testing of unnecessary input vectors
    • Focus on the most relevant attack surfaces
    • Use custom input vectors for specific tests

Resource Management

1
Memory Allocation
  1. Increase memory allocation for ZAP:
    • Edit zap.bat (Windows) or zap.sh (Linux/macOS)
    • Modify the -Xmx parameter (e.g., -Xmx2g for 2GB)
    • Restart ZAP for changes to take effect
  2. Monitor memory usage in the status bar
  3. Clear history periodically for long testing sessions
2
Database Management
  1. Go to Tools > Options > Database
  2. Configure database settings:
    • Compact database on shutdown: Reduces database size
    • Recovery log: Controls transaction logging
    • Maximum request body size: Limits stored request size
    • Maximum response body size: Limits stored response size
  3. These settings affect performance and disk usage
3
History Management
  1. Periodically clean history for long-running tests:
    • Right-click on History tab and select Purge History
    • Use Analysis > Clear Passive Scan Results to clear alerts
  2. Export important findings before clearing
  3. Consider using separate ZAP sessions for different testing phases

Scan Strategies

Risk-Based Scanning

1
Initial Reconnaissance
  1. Run passive scanning on the entire application
  2. Use the traditional and AJAX spiders to discover content
  3. Review the application structure and functionality
  4. Identify high-value targets and sensitive functionality
2
Risk Assessment
  1. Prioritize targets based on:
    • Business criticality
    • Exposure (public vs. internal)
    • Data sensitivity
    • User privileges required
  2. Create a risk-based testing plan
3
Tiered Scanning

  1. Tier 1: Quick scan of all discovered content

    • Use a lightweight scan policy
    • Focus on high-risk, low-false-positive rules
    • Identify obvious vulnerabilities

  2. Tier 2: Detailed scan of high-risk areas

    • Use a more comprehensive scan policy
    • Include medium-risk rules
    • Test all input vectors

  3. Tier 3: In-depth scan of critical functionality

    • Use maximum strength settings
    • Enable all relevant rules
    • Perform manual testing alongside automated scanning

Incremental Scanning

1
Baseline Scan
  1. Perform an initial scan of the entire application
  2. Document findings as a baseline
  3. Address critical vulnerabilities
2
Change-Based Scanning
  1. For new features or changes:
    • Spider the affected areas
    • Run targeted active scans
    • Compare with baseline results
  2. Focus testing efforts on modified functionality
  3. Verify that previous issues haven't been reintroduced
3
Regression Testing
  1. Periodically scan the entire application
  2. Compare with previous baseline
  3. Identify new vulnerabilities
  4. Update the baseline after each cycle

Integration with Development Workflow

Continuous Integration

1
Set Up ZAP in CI/CD
  1. Use ZAP's automation framework or Docker container
  2. Create a baseline scan configuration
  3. Define thresholds for build failure
2
Configure CI Pipeline
# Example CI script using ZAP Docker
docker run -t owasp/zap2docker-stable zap-baseline.py \
  -t https://example.com \
  -c zap-baseline.conf \
  -r testreport.html

The configuration file (zap-baseline.conf) can specify:

  • Rules to include/exclude
  • Alert levels that cause build failure
  • Scan options and parameters
3
Review and Triage
  1. Generate reports in a format suitable for your workflow
  2. Integrate results with issue tracking system
  3. Implement a triage process for findings
  4. Track vulnerability trends over time

API Testing

1
Import API Definition
  1. Go to Tools > Import > OpenAPI Definition
  2. Import your OpenAPI/Swagger specification
  3. ZAP will create Sites tree entries for all endpoints
2
Configure Authentication
  1. Set up appropriate authentication for the API
  2. Create a context with the API endpoints
  3. Configure users and authentication method
3
Create API-Specific Scan Policy
  1. Create a custom scan policy for API testing
  2. Enable relevant rules for API vulnerabilities:
    • Injection flaws
    • Authorization issues
    • Information disclosure
    • Rate limiting
  3. Disable irrelevant rules (e.g., browser-specific issues)
4
Execute API Scan
  1. Run the active scan with the API-specific policy
  2. Monitor for false positives
  3. Review findings in the context of API functionality

Next Steps

Now that you understand the scanning options in OWASP ZAP, explore these topics: