I don't have much experience of penetration testing, but I am currently looking at OWASP Zap.
The website I am going to pentest runs on an Amazon EC2 instance. Amazon seems to have certain requirements when it comes to security testing: https://aws.amazon.com/security/penetration-testing/
The above website says that you can run security tests on a Amazon EC2 instance but not certain ones such as DNS zone walking, DoS, etc. which is fair enough.
The problem is that I can't see exactly what OWASP Zap will do when I click the "Attack" button and I obviously don't want to upset AWS!
Has anyone else used OWASP Zap on an EC2 instance? Did it you have to configure it to not do DoS attacks, etc? Is there any way I can find out what Zap is doing (I couldn't see anything in the documentation but may have missed something)?
Yes, I've done that. ZAP does not deliberately attempt DoS attacks (or any other attacks intended to cause damage) but it can still 'take out' insecure or badly configured applications. If you have permission from the website owner then they hopefully wont complain to Amazon and then you'll be ok.
For details of the scan rules ZAP uses see https://www.zaproxy.org/docs/alerts/ - those pages link to the relevant source code so that shpould provide you with more than enough detail ;)