Scripts2026年7月1日·1 分钟阅读

OWASP ZAP — Open-Source Web Application Security Scanner

Free security testing tool for finding vulnerabilities in web applications during development and QA.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
OWASP ZAP
直接安装命令
npx -y tokrepo@latest install adb5755b-754b-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

ZAP (Zed Attack Proxy) is an open-source web application security scanner maintained by the OWASP Foundation. It helps developers and security testers find vulnerabilities like XSS, SQL injection, and broken authentication in web applications. ZAP can be used both as an interactive proxy and as an automated scanner in CI/CD pipelines.

What OWASP ZAP Does

  • Intercepts and inspects HTTP/HTTPS traffic as a man-in-the-middle proxy
  • Performs automated active and passive scanning for common web vulnerabilities
  • Crawls web applications using traditional spidering and AJAX-aware crawling
  • Supports authenticated scanning with session management and login sequences
  • Generates reports in HTML, XML, JSON, and Markdown formats

Architecture Overview

ZAP is a Java-based application built on a proxy core that intercepts all browser traffic. Passive scanners analyze traffic in real-time without modifying requests. Active scanners send crafted payloads to detect vulnerabilities. The architecture is extensible through a marketplace of add-ons that cover specialized protocols, authentication methods, and reporting formats.

Self-Hosting & Configuration

  • Run via Docker, native installers (Windows, macOS, Linux), or as a Java JAR
  • Configure the local proxy on port 8080 by default for interactive testing
  • Define scan policies to control which checks run and their aggressiveness
  • Set up authentication contexts for testing apps behind login forms or SSO
  • Use automation framework YAML files for repeatable CI/CD scan configurations

Key Features

  • Both manual proxy-based testing and fully automated scanning modes
  • AJAX Spider handles modern JavaScript-heavy single-page applications
  • Comprehensive API allows full control from scripts and CI/CD pipelines
  • Active community with 100+ add-ons in the ZAP Marketplace
  • Covers OWASP Top 10 vulnerability categories out of the box

Comparison with Similar Tools

  • Burp Suite — Industry-standard commercial proxy; ZAP is fully free and open source
  • Nikto — Web server scanner focused on misconfigurations; ZAP tests application-level vulnerabilities
  • Nuclei — Template-based vulnerability scanner; ZAP offers interactive proxy and crawling
  • OWASP Dependency-Check — Scans dependencies for known CVEs; ZAP tests running applications
  • Arachni — Ruby-based web scanner (discontinued); ZAP is actively maintained

FAQ

Q: Is ZAP suitable for testing APIs? A: Yes. ZAP can import OpenAPI/Swagger definitions and scan REST and GraphQL endpoints.

Q: Can ZAP run in a CI/CD pipeline? A: Yes. ZAP provides Docker images and an automation framework with YAML-based scan plans designed for CI integration.

Q: Does ZAP support authenticated scanning? A: Yes. You can configure form-based, script-based, or header-based authentication contexts to scan pages behind login.

Q: How does ZAP handle false positives? A: ZAP assigns confidence levels to findings. You can tune scan policies, mark false positives, and create custom rules to reduce noise.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产