ZAP doesnt just throw a load of payloads at a target to see what happens :)
The payloads are targetted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities.
However there a various options:
- Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :)
- Write new rules to do whatever you want - this gives you full control, but could be a bit daunting to start with
- Tweek the User defined attacks.js script - this is probably the easiest way to get started