This screen allows you to configure the active scan input vectors.
These are the elements that the active scanner will attack.
Scanning all of the elements supported will take longer, but not scanning some elements may cause some vulnerabilities to be missed.
The request elements that the active scanner will target:
Key value pairs in the request URL query, ie after the
If Data Driven Nodes are defined within a Context they will be tested.
When selected ZAP will add a query parameter to GET requests which did not originally have one. This may increase scan time, however, it may also reveal issues that would otherwise go un-noticed.
Key value pairs in the request POST data.
Path elements in the request URL, ie the elements separated by
Request HTTP Headers.
Allows to scan the HTTP Headers of all requests. Not just requests that send parameters, through the query or request body.
The data formats that the active scanner will target:
|Multipart Form Data
|Google Web Toolkit
If this option is selected then the active scanner will use any enabled script input vectors.
Script input vectors are scripts which you have written or imported into ZAP and allow you to target elements which are not supported by default.
This screen also allows you to configure the parameters which will be ignored by the active scanner.
Parameter section in Add Alert dialogue for more details about the
|for an overview of the user interface
|for details of the other Options dialog screens
|Active Scan Input Vectors