How does the passive and active scanning report process work?
DeepFactor creates alerts for applications and components only after a passive+active ZAP Scan is completed. DeepFactor alerts are generated for every passive or active ZAP scan.
What happens when an intercepted token is selected?
If you select an intercepted Authorization value, or provide a custom value, the Authorization field will be set in every request sent by the ZAP Scan to your web service.
Is there any difference between them? (Login, permissions, etc).
The permissions associated with the Authorization value depends on how your web service utilizes an HTTP Authorization header if applicable.
How does selecting "none" affect Auth token changes?
If none is selected, the HTTP Authorization header will not be set for ZAP scan requests to your web service.
How does an API Scan work?
API Scans utilize an API document to discover http endpoints/paths to scan. It is an alternative to a traditional scan that utilizes a spider to crawl HTTP links for AJAX.
DeepFactor currently requires the document to be hosted on the web service and specified by a /path/swagger-openapi.json [.yml or .yaml ] or /path/WSDL-soap.xml .