DAST Scan Q & A

How does the passive and active scanning report process work?

Deepfactor creates alerts for applications and components only after a passive+active ZAP Scan is completed. Deepfactor alerts are generated for every passive or active ZAP scan.


What happens when an intercepted token is selected?

If you select an intercepted Authorization value or provide a custom value, the Authorization field will be set in every request sent by the ZAP Scan to your web service.

Is there any difference between them? (Login, permissions, etc).

The permissions associated with the Authorization value depends on how your web service utilizes an HTTP Authorization header if applicable.

How does selecting “none” affect Auth token changes?

If none is selected, the HTTP Authorization header will not be set for ZAP scan requests to your web service.

How does an API Scan work?

API Scans utilize an API document to discover http endpoints/paths to scan. It is an alternative to a traditional scan that utilizes a spider to crawl HTTP links for AJAX.

Deepfactor currently requires the document to be hosted on the web service and specified by a /path/swagger-openapi.json [.yml or .yaml ] or /path/WSDL-soap.xml .

Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Request a Quote Demo

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure