Compared to AppScan, ZAP is a lot more fun. However, in AppScan it is a lot easier to restrict and direct the scan.
I must execute a scan in an (almost) production environment, let's call this environment staging. In staging and production I have to request a new account, so before I do that I would like to investigate alternatives.
I have to run the scan in staging within an account that contains a number of documents. I don't want ZAP to just try document ids because that may mean I mess with my colleague's documents. The document id is used in the query string for example: https://myapp.com/Edit?docid=764.
How can I configure ZAP in such a way that if that docid parameter is in the query string that it will always use the value 764? ZAP must test any other query string parameter, but the docid must always be the same.
In the latest version of ZAP (currently 2.4.0) open the Active Scan dialog and check the 'Show advance options' box. In the 'Input Vectors' tab add 'docid' to the list of parameters that will be ignored by the scanner. That should do the trick, but I'd test that on a safe environment first ;) If it doesnt work then raise this as an issue.
Simon (ZAP Project Lead)