Reputation: 245
How to prevent OWASP ZAP scanner hitting external URLs in Standard Mode?
I am new to OWASP ZAP. I ran a automated scan in Standard Mode on my own website hosted on localhost (http://127.0.0.1:8000) with both traditional and AJAX spiders.
There are some external public URLs in the localhost website which are not under http://127.0.0.1:8000 like CDN's etc. Yet ZAP's Information Window shows them:
- The Spider tab shows the external URLs Flagged as Out of Scope.
- The AJAX Spider tab shows some external URLs returned 403 Forbidden.
- The Active Scan tab shows content-signature-2.cdn.mozilla.net at the bottom.
Did ZAP actually "scanned" those external URLs? If yes, then how to prevent this from happening? Can this cause some kind of legal issue?
Thanks.
Upvotes: 0
Views: 1509
Answers (1)
Reputation: 6186
The AJAX Spider is not hitting those URLs - the requests are made from the browsers which ZAP launches and ZAP is returning the 403s. ZAP will permit requests for JavaScript files (and I think CSS ones too from memory) as blocking these breaks many apps. However these are just standard requests that any browser would make - ZAP does NOT attack URLs that are out of scope.
Upvotes: 1
Related Questions
- OWASP/ZAP dangling when trying to scan
- OWASP ZAP - Scan a list of url
- How to capture HTTP request in OWASP ZAP
- OWASP Zap scan option is grayed-out for multi-selected URLs
- Exclude URL in ZAP proxy scanning run as daemon
- how to exclude unnecessary URLs in ZAP html report
- URL pattern to exclude globally in Zap
- ZAP keeps scanning unnecessary URLs
- OWASP Zaproxy cannot attack URL if its begins with https
- Restrict ZAP scanner