I really want to use ZAP. It’s free, it’s good, but I have some significant issues with it that give me grave concerns in its usage.
Attacking Out of Scope Targets
I have a site I test for work. It’s in a test environment. The web application has links to google api’s, Mozilla libraries, etc. When I run the spider, having set the context, it correctly identifies what is in scope and what is out of scope (red dot on all out of scope domains). All seems good. Then I run an Active Scan and hell breaks loose.
During the active scan, everything works as expected until I get to the “Cross Site Scripting (DOM Based)” attacks. At this point those out of scope URLs are now being attacked. The output spits by very rapidly, and it’s hard to scroll up to identify details of what’s happening on those URLs. Unable to kill the scan (see next problem), I have to kill the app, loosing all details of what it was doing.
Above, notice the domains not in scope (*.mozilla.net, *.jsdelivr.net, *bootstrapcdn.com). I’ve seen it iterate a URL on Mozilla that was a link to a blog article. No matter what I try, OWASP ZAP goes out of context when it hits the DOM based CSS.
Web Socket Insanity
Another concern of mine is when the scanner attacks a web socket. It becomes confused and starts attacking our production layer.
As we can’t have active scans on production, it leaves me in serious problem, where web socket attacks are now striking an out of scope production domain. This is likely due to the web socket communicating with production entities. However, the ZAP scanner should identify these domains as out of scope and not process the attacks. It doesn’t.
Can’t Stop The Scan
Watching a scan go off the rails is somewhat concerning. Attempting to quietly stop it, is impossible. ZAP will continue to run attacks, even after it is “stopped.” Stopping ZAP doesn’t evidently kill the queues. So if your session is off the rails, scanning out of scope targets, well it keeps going. ZAP will have reported it’s “stopped” only to see more results pour in. 30 seconds later, more results.
Other Scanners
I do not have this issue with Burp Suite scanners, or Greenbone (GVM).
The problem described here are specific to ZAP.