HelpAddonsBruteforceOptions
This screen allows you to configure the Forced Browse options:
The number of threads the scanner will use per host. Increasing the number of threads will speed up the scan but may put extra strain on the computer ZAP is running on and the target host.
If checked then the scanner will recurse through all of the sub-directories found. This may take a long time.
The default file selected when ZAP starts.
Allows you to add your own files to be used when brute forcing files and directories. These should be text files with one file or directory name per line. Files are added to the 'dirbuster' directory underneath the ZAP home directory.
If checked then in addition to brute forcing directories, the files will also be brute forced. The URI of the file to be brute forced is derived by appending given extensions to the entries of selected forced browse text file. Users do not need to worry whether the entry already ends with an extension or not. The conflict is handled internally. By default this option is unchecked. Enabling this will increase the scanning time.
If Force Browse files option is checked, then you can specify the file extensions that need to be brute forced. When specifying multiple extensions separate each extension with a comma(,). If no value is specified, "php" will be used as the default extension.
The scanner parses the response body to filter existing links. The extracted links are then used to make new requests. If file extensions to ignore is specified then links ending with those extensions are ignored from making requests. When specifying multiple extensions separate each extension with a comma(,). By default, this is set to "jpg, gif, jpeg, ico, tiff, png, bmp".
The scanner will request for every file type in every directory that it finds with the given fail case string appended. The response from this page is used to determine whether or not a guessed file/directory is there. By default, this is set to "thereIsNoWayThat-You-CanBeThere". If you’re getting strange results, consider changing this.
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits
