# OWASP ZAP — Web Application Security Scanner > The world's most widely used open-source web application security scanner, providing automated and manual tools for finding vulnerabilities in web applications during development and testing. ## Install Save in your project root: # OWASP ZAP — Web Application Security Scanner ## Quick Use ```bash # Run ZAP in Docker with automated scan docker run -t zaproxy/zap-stable zap-baseline.py -t https://target.example.com # Start ZAP daemon for API-driven scanning docker run -u zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 # Full scan with report output docker run -v $(pwd):/zap/wrk zaproxy/zap-stable zap-full-scan.py -t https://target.example.com -r report.html ``` ## Introduction OWASP ZAP (Zed Attack Proxy) is an open-source dynamic application security testing (DAST) tool maintained by the OWASP community. It acts as a man-in-the-middle proxy between a browser and a web application, intercepting and analyzing HTTP traffic to detect security vulnerabilities like XSS, SQL injection, and broken authentication. ## What OWASP ZAP Does - Intercepts and inspects all HTTP/HTTPS traffic between browser and target application - Performs automated active scanning to probe for common web vulnerabilities (OWASP Top 10) - Provides passive scanning that identifies issues from observed traffic without active probing - Supports spidering and AJAX crawling to discover application endpoints automatically - Generates detailed vulnerability reports in HTML, XML, JSON, and Markdown formats ## Architecture Overview ZAP is a Java application built on a proxy core that intercepts HTTP(S) traffic. The proxy feeds requests and responses to a pipeline of passive scanners that analyze traffic patterns. Active scanners inject payloads into discovered parameters to test for vulnerabilities. The add-on marketplace extends functionality with community-contributed scan rules, authentication handlers, and reporting plugins. A full REST API enables headless operation for CI/CD integration. ## Self-Hosting & Configuration - Run via Docker images (stable, weekly, or bare) for consistent environments - Configure authentication via session management, form-based login, or script-based auth handlers - Set scan policies to control which vulnerability categories and strength levels are tested - Integrate with CI/CD using the packaged scan scripts (baseline, full, API) or REST API calls - Use ZAP's HUD (Heads Up Display) for in-browser interactive testing during manual reviews ## Key Features - Comprehensive DAST covering OWASP Top 10 and hundreds of additional vulnerability checks - CI/CD integration with packaged scan scripts and GitHub Actions support - Extensible add-on marketplace with 100+ community-maintained extensions - Full REST API and client libraries in Python, Java, and Node.js for automation - Session management and context-aware scanning for authenticated application areas ## Comparison with Similar Tools - **Burp Suite** — industry-standard commercial tool with broader manual testing features; ZAP is free and open-source with comparable automated scanning - **Nikto** — legacy web server scanner focused on misconfigurations; ZAP provides deeper application-layer vulnerability detection - **Nuclei** — template-based scanner for known CVEs; ZAP performs generic vulnerability probing without needing pre-built templates - **Arachni** — similar DAST scanner now unmaintained; ZAP has active development and OWASP community backing ## FAQ **Q: Can ZAP scan modern single-page applications (SPAs)?** A: Yes. The AJAX Spider uses a headless browser to crawl JavaScript-heavy applications and discover dynamic endpoints. **Q: How do I authenticate to scan protected areas?** A: Configure authentication contexts with login URLs, credentials, and session indicators. ZAP maintains sessions automatically during scans. **Q: Is ZAP suitable for production scanning?** A: Active scanning sends attack payloads that may cause side effects. Use it against staging or test environments, not live production systems. **Q: How do I reduce false positives?** A: Tune scan policies, set technology tags for the target stack, and use context-specific scan configurations to focus on relevant vulnerability categories. ## Sources - https://github.com/zaproxy/zaproxy - https://www.zaproxy.org/ --- Source: https://tokrepo.com/en/workflows/asset-24072eab Author: AI Open Source