Understanding Active Scan Components

Active scanning represents ZAP's vulnerability testing phase, where discovered content undergoes systematic security testing. Unlike passive scanning that merely observes traffic, active scanning sends attack payloads attempting to trigger vulnerabilities. This aggressive testing approach identifies issues like SQL injection, cross-site scripting, and directory traversal that passive observation cannot detect. Understanding active scan mechanics helps configure effective tests while avoiding application damage.

The active scanner uses a plugin architecture where each plugin tests for specific vulnerability types. ZAP includes over 90 active scan rules covering common vulnerabilities from the OWASP Top 10 and beyond. Each rule contains logic for generating test payloads, inserting them into requests, and analyzing responses for vulnerability indicators. Rules operate independently, allowing parallel execution and granular configuration.

Attack insertion points determine where ZAP injects test payloads. By default, ZAP tests all URL parameters, form fields, headers, and cookies. Each insertion point receives multiple payloads testing different vulnerability variants. For example, SQL injection testing might include single quotes, SQL keywords, time-based payloads, and boolean logic tests. This comprehensive approach ensures thorough testing but generates significant traffic.