In testing some internal projects I came across a problem with ZAP where it ran off the rails, so-to-speak. While I had given ZAP a specific target, when it reached the Active Scan portion, it stated hitting other servers in the system that where not in scope.

The test was kicked off using Zap 2.12’s “Automated Scan” feature. Providing the host in the field, it kept scope throughout the spidering process. It even kept scope (blocking any attacks against other hosts) during the active scan portion. However, once it got to the DOM level XSS tests, I found myself seeing attacks leveled against various machines out of scope.

The problem appeared to be related to web sockets. When it hit the DOM portion of the test, a web socket tab was kicked off. With that the tests seemed to follow points of interest and the scope was lost. I found attacks being sent to my local Freeswitch, among other things. Even production level machines were being targeted, which were clearly outside the host’s scope.

I’ve not had this problem with Burp Suite Pro. Just something to keep in mind in your testing, I wouldn’t walk away from a ZAP test. Even though it may take several hours to complete, I’m not 100% confident in the ability to remain within scope, especially if web sockets are getting tested.