OWASP ZAP — Open-Source Web Application Security Scanner

Introduction

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner maintained by the OWASP community. It helps developers and security testers find vulnerabilities like XSS, SQL injection, and CSRF in web applications through both automated scanning and manual testing.

What OWASP ZAP Does

• Intercepts and modifies HTTP/HTTPS traffic as a man-in-the-middle proxy
• Performs automated active and passive scanning for common web vulnerabilities
• Crawls web applications using traditional spidering and Ajax-aware browsing
• Provides a scripting engine for custom scan rules and automation
• Generates detailed vulnerability reports in HTML, XML, JSON, and Markdown

Architecture Overview

ZAP is a Java application that operates as an intercepting proxy between the browser and the target application. Incoming requests and responses pass through a pipeline of passive scan rules. Active scanning sends crafted payloads to detect injection flaws and misconfigurations. The add-on marketplace extends functionality with community-contributed scan rules, authentication handlers, and reporting templates.

Self-Hosting & Configuration

• Run headless in CI/CD pipelines using Docker images and automation scripts
• Configure authentication via form-based, script-based, or header-based methods
• Define scan policies to control which active scan rules run and at what strength
• Set context definitions to scope scans to specific parts of the application
• Use the ZAP API for full programmatic control from external tools

Key Features

• Automated baseline, full, and API scan scripts for CI/CD integration
• Ajax Spider for crawling JavaScript-heavy single-page applications
• Built-in fuzzer for parameter manipulation and boundary testing
• Session management and authentication handling for scanning behind login
• Active community with 100+ add-ons in the marketplace

Comparison with Similar Tools

• Burp Suite — commercial alternative with more polished UI and advanced features, but requires a paid license
• Nikto — lightweight web server scanner focused on misconfigurations, less comprehensive for app-layer vulnerabilities
• Acunetix — commercial automated scanner with broader crawling but closed source
• Nuclei — template-based scanner for known CVEs, complements ZAP's general-purpose scanning

FAQ

Q: Is ZAP suitable for CI/CD pipelines? A: Yes. ZAP provides Docker images and baseline/full scan scripts designed for automated pipeline integration with configurable thresholds.

Q: Can ZAP scan APIs? A: Yes. Import OpenAPI, GraphQL, or SOAP definitions and ZAP will generate and scan API requests based on the specification.

Q: How does ZAP handle false positives? A: ZAP provides confidence levels for findings. Tune scan policies, use context-specific configurations, and leverage passive scan rules to reduce noise.

Q: Is ZAP still maintained after the OWASP transition? A: Yes. ZAP is actively developed under the Software Security Project (SSP) with regular releases and an active contributor community.

Sources

• https://github.com/zaproxy/zaproxy
• https://www.zaproxy.org/