Frequently Asked Questions

Why does ZAP Access Out of Scope Domains?

You have automated ZAP to attack your site but then you see that there are other domains in the Sites Tree or in the report.

Does this mean ZAP has attacked those other domains?

No. ZAP will only attack the sites you specify.

However, the AJAX Spider and the DOM XSS Scan Rule both launch browsers. We allow the browsers to access certain off domain resources such as JavaScript files - blocking these often breaks the target sites and mean the AJAX Spider or DOM XSS Scan Rule would not work.

This is perfectly safe and no different from just opening the relevant URLs in your own browser.

Browsers also make lots of “calls home”, most of which can be ignored by using the Network Global Exclusions.

It is also worth noting that you can choose which sites are included in a report.