ZAP keeps scanning unnecessary URLs

Question

What I'm doing is:

Starting ZAP to listen on some port

zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true

Starting new session

curl -X GET "http://localhost:2355/JSON/core/action/newSession/?zapapiformat=JSON&formMethod=GET&name=&overwrite=" -H "cache-control: no-cache"

Through REST service, giving it a context, which includes only one URL pattern

curl -X GET "http://localhost:2355/JSON/context/action/importContext/?zapapiformat=JSON&formMethod=GET&contextFile=some-test-context.context" -H "cache-control: no-cache"

HERE I launch selenium test with browser bind to a proxy:2355

Starting spider

curl -X GET "http://localhost:2355/JSON/spider/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&maxChildren=&recurse=&contextName=some-test-context&subtreeOnly=" -H "cache-control: no-cache"

Starting active scan

curl -X GET "http://localhost:2355/JSON/ascan/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2" -H "cache-control: no-cache"

(2, because there is always id#1 context, Default one)

And in the end I'm getting report

curl -X GET "http://localhost:2355/OTHER/core/other/htmlreport/?formMethod=GET" -H "cache-control: no-cache" -H "content: application/json"

I'm pretty sure the context path is correct and exists (no read error) I'm pretty sure I specified correct name of context and id

Anyway, when I get report, there are scan results NOT only on the URL from the context. But also on production links, 3rd party sites, etc.

Am I expecting smth wrong or forgetting smth?

Answer 1

The browser will be requesting those URLs. ZAP will perform passive scanning on all requests that are proxied through it, and any potential vulnerabilities it finds will end up in the report. So its working as expected :)

You can either just ignore them or use one of the optional add-ons that allows you to filter the report.

Answer 2

You could define a Context that includes the sites/apps that you want results for (right click, add to context, in the history tab or sites tree) and enable the passive scan option that limits scanning to only messages that are in-scope.

Contexts can also be exported and imported for clean re-use.

Supporting references:

• https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsPscanner
• https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsContexts