Understanding Scan Alerts

As vulnerabilities are discovered, they appear in the Alerts tab with risk ratings and confidence levels. ZAP categorizes findings by severity: High (red flag), Medium (orange flag), Low (yellow flag), and Informational (blue flag). Each alert includes detailed information about the vulnerability, affected URL, and evidence of the issue. Your first scan likely reveals numerous findings across all severity levels.

Examining a specific alert provides valuable learning opportunities. Click on a High-risk alert, such as SQL Injection, to view details. The alert window shows the vulnerable URL, parameter, attack payload that triggered the issue, and evidence from the application's response. ZAP includes comprehensive descriptions explaining the vulnerability type, potential impact, and remediation guidance. This information transforms abstract security concepts into concrete findings you can understand and address.

Understanding false positives is crucial for effective security testing. Not every alert represents an actual vulnerability—some are false positives requiring human verification. ZAP's confidence levels (High, Medium, Low) indicate likelihood of accuracy. Low-confidence findings often require manual verification. Learning to distinguish real vulnerabilities from false positives develops through experience and understanding of application behavior.