ZAP by default passively scans all HTTP messages (requests and responses) sent to the web application being tested.
Passive scanning does not change the requests nor the responses in any way and is therefore safe to use.
Scanning is performed in a background thread to ensure that it does not slow down the exploration
of an application.
The (main) behaviour of the passive scanner can be configured using the Options Passive Scanner Screen.
Passive scanning can also be used for automatically adding tags
and raising alerts for potential issues.
A set of rules for automatic tagging are provided by default. These can be changed, deleted or
added to via the Options Passive Scan Tags screen.
The alerts raised by passive scan rules can be configured using the Options Passive Scan Rules screen.
UI Overview | for an overview of the user interface | |
Features | provided by ZAP | |
Active scanning | ||
Scanner Rules | supported by default |
ZAP In Ten: Passive Scanning (10:27) | |
ZAP In Ten: Passive Scan Scripts (11:53) | |
Deep Dive: Passive Scanning (27:35) |