loading
loading
Scanners
Run a full scan against a target URL using ZAP.
overview
zap-full-scan drives OWASP ZAP end to end against a web application: it crawls the site with the spider, then runs the active scan rules that send crafted requests to probe for real vulnerabilities. A baseline pass only watches traffic passively, so the full scan is what surfaces injection, cross-site scripting, and broken access control that passive observation never triggers.
The flags set depth and shape the report. -t takes the target URL with its protocol, -j adds the Ajax spider for JavaScript-rendered routes, and -m caps how long the spider runs. Point -n at a context file and -U at a username to scan behind a login, mark noisy rules as INFO, IGNORE, or FAIL through a -c config file, and trim the report with -l and -s.
On Trickest, zap-full-scan is a Scanners node that reads a target URL and writes a file plus a folder of results. Wire it after discovery and probing so it scans hosts you already confirmed are live, then route its findings into the same triage and reporting path as the rest of your security output.
source github.com/zaproxy/zaproxy
use cases
Point ZAP at a live URL to spider the site and run its active rules, surfacing injection, misconfiguration, and access-control issues a passive baseline would miss.
Enable the Ajax spider with -j so ZAP crawls pages and routes that load through JavaScript, widening coverage on single-page apps before the active scan runs.
Supply a context file with -n and a username with -U so ZAP authenticates and tests pages that are only reachable to a logged-in user.
Use -l and -s with a -c config file to keep only the findings that matter and mark known warnings as INFO or IGNORE so a scheduled scan does not fail on accepted risk.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -t | Target URL including the protocol, e.g. https://www.example.com. |
| ajax | BOOLEAN | -j | Use the Ajax spider in addition to the traditional one. |
| mins | STRING | -m | Number of minutes to spider for (defaults to no limit). |
| user | STRING | -U | Username for authenticated scans, defined in the context file. |
| context-file | FILE | -n | Context file loaded before scanning the target. |
| alpha | BOOLEAN | -a | Include the alpha active and passive scan rules as well. |
| level | STRING | -l | Minimum level to show: PASS, IGNORE, INFO, WARN, or FAIL. |
| config_file | FILE | -c | Config file to mark warnings as INFO, IGNORE, or FAIL. |
Showing key inputs. zap-full-scan exposes 13 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -t | Target URL including the protocol, e.g. https://www.example.com. |
| ajax | BOOLEAN | -j | Use the Ajax spider in addition to the traditional one. |
| mins | STRING | -m | The number of minutes to spider for (defaults to no limit). |
| user | STRING | -U | Username to use for authenticated scans, must be defined in the given context file. |
| context-file | FILE | -n | Context file which will be loaded prior to scanning the target. |
| alpha | BOOLEAN | -a | Include the alpha active and passive scan rules as well. |
| debug | BOOLEAN | -d | Show debug messages in stdout. |
| delay | STRING | -D | Delay in seconds to wait for passive scanning. |
| level | STRING | -l | Minimum level to show: PASS, IGNORE, INFO, WARN, or FAIL; use with -s (short-output) to hide example URLs. |
| max-time | STRING | -T | Max time in minutes to wait for ZAP to start and the passive scan to run. |
| config_file | FILE | -c | Config file to use to mark warnings as INFO, IGNORE, or FAIL. |
| zap-options | STRING | -z | ZAP command line options passed through to the scanner. |
| short-output | BOOLEAN | -s | Short output format, do not show PASSes or example URLs. |
example
# full active scan, Ajax spider on, 10-minute spider cap, short reportzap-full-scan.py -t https://www.example.com -j -m 10 -s -l WARNTotal of 48 URLsWARN-NEW: Absence of Anti-CSRF Tokens [10202] x 4 https://www.example.com/login (200 OK)WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 11 https://www.example.com/ (200 OK)FAIL-NEW: Cross Site Scripting (Reflected) [40012] x 1 https://www.example.com/search?q=test (200 OK)FAIL-NEW: SQL Injection [40018] x 1 https://www.example.com/product?id=1 (200 OK)FAIL-NEW: 2 WARN-NEW: 2 INFO: 0 IGNORE: 0 PASS: 46guidance
Use zap-full-scan when you have a live web app URL and want a complete active ZAP scan, not just a passive baseline. For an API defined by a spec, use zap-api-scan. For a multi-step ZAP run, use zap-automation-framework.
ZAP against an API contract rather than a crawlable site. Use it for specs, not pages.
Drives ZAP from one YAML plan. More flexible when a single scan is not enough.
Classic web server scanner. Lighter and faster, with far less depth than a ZAP active scan.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A target URL is probed by httpx, then zap-full-scan spiders and actively scans the live host and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.