Passive Scan in OWASP ZAP

Question

I have started learning OWASP ZAP and I am confused about passive scanning in OWASP ZAP.

On right clicking the node in Site tree I do not see any passive scanning option, however under Tools | Options I am able to see Passive Scan Rules.

How Can I run Passive Scan in OWASP ZAP?
Is the "URL to attack" in the Quick Start same as Active Scan after Spidering

Thanks

score 9 · Accepted Answer · edited May 20 '17 at 13:00

9

They run by default, so you have to actually choose to disable them :) ZAP will run the (enabled) passive scan rules against all URLs that are either proxied through ZAP or visited by either of the spiders. https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan

Cheers,

Simon (ZAP Project Lead)

edited May 20 '17 at 13:00

Tim Child

2,994
1
26
25

answered Mar 11 '16 at 15:39

Simon Bennetts

5,479
1
14
26

Hi, Thanks for your help. And I can see the answer for my second question at https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartQuickstart – NewBee Mar 14 '16 at 06:37

Passive Scan in OWASP ZAP

1 Answers1