An add-on that provides core passive scanning capabilities.
This add-on supports the Automation Framework.
ZAP by default passively scans all messages (e.g. HTTP, WebSocket) sent to the web application being tested.
Passive scanning does not change the messages in any way and is therefore safe to use.
Scanning is performed in the background to ensure that it does not slow down the exploration of an application.
The (main) behaviour of the passive scanner can be configured using the Options Passive Scanner Screen.
Passive scanning can also be used for automatically adding tags and raising alerts for potential issues.
A set of rules for automatic tagging are provided by default. These can be changed, deleted or added to via the Options Passive Scan Tags screen.
The alerts raised by passive scan rules can be configured using the Options Passive Scan Rules screen.
| ZAP In Ten: Passive Scanning (10:27) | |
| ZAP In Ten: Passive Scan Scripts (11:53) | |
| Deep Dive: Passive Scanning (27:35) |
| Passive Scanner API | for more details about the Passive Scanner API | |
| Options | for the provided options screens |