I'm a young student doing an internship in a company (and a pure beginner in the security field). And my company asked me to do security tests with zap owasp on their web application. I wanted to know what are the recommended input vectors to run an optimal active scan? I've already tried to run several active scans with as many options as possible but it never finishes because it takes hours on the first step and never finishes because I leave it running at night and when I come back it has stopped. I did a lot of research and I don't have the impression that the sites I found linger on the explanations concerning the input vectors of an active scan. On the forums people seem to talk more about input vectors through APIs. Would it be more optimal in my situation to go through the APIs?
Thank you for your attention, I hope you can advise me!
My experience with OWASP ZAP was, that compared to Burp the tool was slower and had memory handling problems when the test took to long. You can play with choosing the technologies and server/DB types when starting an active scan, but it will probably not help if the tested application is big. I'd rather cut the pentest into smaller parts like:
You should also look into the generated traffic to verify, if OWASP ZAP is running correctly and if the generated payloads make sense. A common mistake is running OWASP ZAP against an unauthenticated application or loosing the auth tokens somewhere in the middle of the test. The test does not make any sense after this happens.