HelpStartConceptsScanpolicy
A scan policy defines exactly which rules are run as part of an active scan. It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged. You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan Dialog. You can define the default scan policy to be used for active scans and for the Attack mode via the Options Active Scan screen.
Active scanning is an attack on those targets. You should NOT use it on web applications that you do not own.
It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.
Active scanning is configured using the Options Active Scan screen. You can also define as many scan policies as you like - these define exactly which rules are run and how they work.
| Active Scan tab | ||
| Sites tab | 'Attack/Active Scan site' right click menu item | |
| Sites tab | 'Attack/Active Scan node' right click menu item | |
| History tab | 'Scan this History' right click menu item |
| UI Overview | for an overview of the user interface | |
| Features | provided by ZAP | |
| Passive scanning | ||
| Scan Policy Manager Dialog | which allows you to manage the scan policies | |
| Scanner Rules | supported by default |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits
