ZAP supports: HTTP active and passive scanning. WebSockets passive scanning. For a full list of the HTTP active and passive scan rules see the Alert Details page. By default ZAP comes with the following (HTTP) scan rules: Release Active Scan Rules Release Passive Scan Rules Retire.js DOM XSS Active Scan Rule But you can also download and install:
