ZAP doesn’t just throw a load of payloads at a target to see what happens :)
The payloads are targeted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities.
However there a various options:
- Try out the custom payloads add-on which is supported by some of the existing rules
- Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :)
- Write new rules to do whatever you want - this gives you full control, but could be a bit daunting to start with
- Tweak the User defined attacks.js script - this is probably the easiest way to get started