OWASP ZAP — Web Application Security Scanner

Introduction

OWASP ZAP (Zed Attack Proxy) is an open-source dynamic application security testing (DAST) tool maintained by the OWASP community. It acts as a man-in-the-middle proxy between a browser and a web application, intercepting and analyzing HTTP traffic to detect security vulnerabilities like XSS, SQL injection, and broken authentication.

What OWASP ZAP Does

• Intercepts and inspects all HTTP/HTTPS traffic between browser and target application
• Performs automated active scanning to probe for common web vulnerabilities (OWASP Top 10)
• Provides passive scanning that identifies issues from observed traffic without active probing
• Supports spidering and AJAX crawling to discover application endpoints automatically
• Generates detailed vulnerability reports in HTML, XML, JSON, and Markdown formats

Architecture Overview

ZAP is a Java application built on a proxy core that intercepts HTTP(S) traffic. The proxy feeds requests and responses to a pipeline of passive scanners that analyze traffic patterns. Active scanners inject payloads into discovered parameters to test for vulnerabilities. The add-on marketplace extends functionality with community-contributed scan rules, authentication handlers, and reporting plugins. A full REST API enables headless operation for CI/CD integration.

Self-Hosting & Configuration

• Run via Docker images (stable, weekly, or bare) for consistent environments
• Configure authentication via session management, form-based login, or script-based auth handlers
• Set scan policies to control which vulnerability categories and strength levels are tested
• Integrate with CI/CD using the packaged scan scripts (baseline, full, API) or REST API calls
• Use ZAP's HUD (Heads Up Display) for in-browser interactive testing during manual reviews

Key Features

• Comprehensive DAST covering OWASP Top 10 and hundreds of additional vulnerability checks
• CI/CD integration with packaged scan scripts and GitHub Actions support
• Extensible add-on marketplace with 100+ community-maintained extensions
• Full REST API and client libraries in Python, Java, and Node.js for automation
• Session management and context-aware scanning for authenticated application areas

Comparison with Similar Tools

• Burp Suite — industry-standard commercial tool with broader manual testing features; ZAP is free and open-source with comparable automated scanning
• Nikto — legacy web server scanner focused on misconfigurations; ZAP provides deeper application-layer vulnerability detection
• Nuclei — template-based scanner for known CVEs; ZAP performs generic vulnerability probing without needing pre-built templates
• Arachni — similar DAST scanner now unmaintained; ZAP has active development and OWASP community backing

FAQ

Q: Can ZAP scan modern single-page applications (SPAs)? A: Yes. The AJAX Spider uses a headless browser to crawl JavaScript-heavy applications and discover dynamic endpoints.

Q: How do I authenticate to scan protected areas? A: Configure authentication contexts with login URLs, credentials, and session indicators. ZAP maintains sessions automatically during scans.

Q: Is ZAP suitable for production scanning? A: Active scanning sends attack payloads that may cause side effects. Use it against staging or test environments, not live production systems.

Q: How do I reduce false positives? A: Tune scan policies, set technology tags for the target stack, and use context-specific scan configurations to focus on relevant vulnerability categories.

Sources

• https://github.com/zaproxy/zaproxy
• https://www.zaproxy.org/