Alerts

ZAP reports potential security issues via alerts. Alerts can be raised by any components within ZAP, but they are most commonly raised by:

Passive Scanning

ZAP passively scans all of the requests proxied through it or generated by components like the traditional and AJAX spiders. Passive scanning just involves looking at the raw requests and responses - nothing is changed so it is considered safe to use.

Active Scanning

Active scanning attempts to find other vulnerabilities by using known attacks against the selected targets. Active scanning is a real attack on those targets and can put the targets at risk, so do not use active scanning against targets you do not have permission to test.