Passive Scan in OWASP ZAP

4
votes

I have started learning OWASP ZAP and I am confused about passive scanning in OWASP ZAP.

On right clicking the node in Site tree I do not see any passive scanning option, however under Tools | Options I am able to see Passive Scan Rules.

  1. How Can I run Passive Scan in OWASP ZAP?
  2. Is the "URL to attack" in the Quick Start same as Active Scan after Spidering

Thanks

1
owaspzap

1 Answers

6
votes

They run by default, so you have to actually choose to disable them :) ZAP will run the (enabled) passive scan rules against all URLs that are either proxied through ZAP or visited by either of the spiders. https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan

Cheers,

Simon (ZAP Project Lead)