# OWASP ZAP — Open-Source Web Application Security Scanner > Free security testing tool for finding vulnerabilities in web applications during development and QA. ## Install Save as a script file and run: # OWASP ZAP — Open-Source Web Application Security Scanner ## Quick Use ```bash docker pull ghcr.io/zaproxy/zaproxy:stable # Quick baseline scan docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t https://example.com # Full scan docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://example.com ``` ## Introduction ZAP (Zed Attack Proxy) is an open-source web application security scanner maintained by the OWASP Foundation. It helps developers and security testers find vulnerabilities like XSS, SQL injection, and broken authentication in web applications. ZAP can be used both as an interactive proxy and as an automated scanner in CI/CD pipelines. ## What OWASP ZAP Does - Intercepts and inspects HTTP/HTTPS traffic as a man-in-the-middle proxy - Performs automated active and passive scanning for common web vulnerabilities - Crawls web applications using traditional spidering and AJAX-aware crawling - Supports authenticated scanning with session management and login sequences - Generates reports in HTML, XML, JSON, and Markdown formats ## Architecture Overview ZAP is a Java-based application built on a proxy core that intercepts all browser traffic. Passive scanners analyze traffic in real-time without modifying requests. Active scanners send crafted payloads to detect vulnerabilities. The architecture is extensible through a marketplace of add-ons that cover specialized protocols, authentication methods, and reporting formats. ## Self-Hosting & Configuration - Run via Docker, native installers (Windows, macOS, Linux), or as a Java JAR - Configure the local proxy on port 8080 by default for interactive testing - Define scan policies to control which checks run and their aggressiveness - Set up authentication contexts for testing apps behind login forms or SSO - Use automation framework YAML files for repeatable CI/CD scan configurations ## Key Features - Both manual proxy-based testing and fully automated scanning modes - AJAX Spider handles modern JavaScript-heavy single-page applications - Comprehensive API allows full control from scripts and CI/CD pipelines - Active community with 100+ add-ons in the ZAP Marketplace - Covers OWASP Top 10 vulnerability categories out of the box ## Comparison with Similar Tools - **Burp Suite** — Industry-standard commercial proxy; ZAP is fully free and open source - **Nikto** — Web server scanner focused on misconfigurations; ZAP tests application-level vulnerabilities - **Nuclei** — Template-based vulnerability scanner; ZAP offers interactive proxy and crawling - **OWASP Dependency-Check** — Scans dependencies for known CVEs; ZAP tests running applications - **Arachni** — Ruby-based web scanner (discontinued); ZAP is actively maintained ## FAQ **Q: Is ZAP suitable for testing APIs?** A: Yes. ZAP can import OpenAPI/Swagger definitions and scan REST and GraphQL endpoints. **Q: Can ZAP run in a CI/CD pipeline?** A: Yes. ZAP provides Docker images and an automation framework with YAML-based scan plans designed for CI integration. **Q: Does ZAP support authenticated scanning?** A: Yes. You can configure form-based, script-based, or header-based authentication contexts to scan pages behind login. **Q: How does ZAP handle false positives?** A: ZAP assigns confidence levels to findings. You can tune scan policies, mark false positives, and create custom rules to reduce noise. ## Sources - https://github.com/zaproxy/zaproxy - https://www.zaproxy.org/docs/ --- Source: https://tokrepo.com/en/workflows/asset-adb5755b Author: Script Depot