Frequently Asked Questions

How can I add my own payloads to active scan rules?

ZAP doesn’t just throw a load of payloads at a target to see what happens :)

The payloads are targeted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities.

However there a various options:

  1. Try out the custom payloads add-on which is supported by some of the existing rules
  2. Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :)
  3. Write new rules to do whatever you want - this gives you full control, but could be a bit daunting to start with
  4. Tweak the User defined attacks.js script - this is probably the easiest way to get started