I'm trying to understand how the passive scan works and how I can apply it in my use case.
I have illustrated my setup below:
The client can authenticate itself against the Proxy with basic auth or SAML. All requests will be forwarded to the backend service through the proxy. So my question is: Let's say the proxy is running on port A and the backend service on port B, and I want to passively scan all requests using Owasp ZAP. Does the ZAP session need to authenticate itself in any way for a passive scan? I understand that the active scan would have to authenticate itself in order to manipulate the application, but I can't really understand if the passive has to do that. Can someone explain this to me?
Thanks in advance