One of my favourite tools for penetration testing is ZAProxy or ZAP.
In case you haven’t heard about it you can find more information and download it here.

In this post I will publish an answer Psiinon (the project lead) gave in the ZAP mailing list. I decided to publish this because I was asked the same thing many times, especially from new ZAP users.

Question:
Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?

Answer: (Psiinon)

I usually try to explain it this way:

Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on.

Spidering is a bit more dangerous. Is could cause problems depending on how your application works (and we should make the ‘no post’ option visible!).

Active scanning is dangerous and depending on your app may create/modify/delete data.

So the only really safe thing is proxying and passive scanning, the other 2 could cause problems and could be considered illegal if you perform them on apps you dont have permission to test.

I have wondered about adding a ‘safe’ mode to ZAP which will only allow you to do safe things. Thoughts anyone? I know its not something pentesters would use;)

Hope that helps,

Psiinon

I did searched a bit in the ZAP FAQ or wiki but I was not able to find it. Hope it helps!

Best regards,
Vasilis