Receiving a 403 Forbidden For All Requests

Some firewalls have a default configuration which will block DAST scans. The ZAP scanner sends a identification header on each request, X-Scanner: ZAP which may be an indicator to your WAF to block the request. A false-positive issue may then be created in SOOS.

This can be verified by running the curl command associated with the SOOS issue, first as written, and then a second time without the X-Scanner header to see if it makes a difference in the response.