OWASP ZAP (Zed Attack Proxy) is one of the most widely used open-source web application security scanners in the world. Maintained by the Open Web Application Security Project, ZAP sits between your browser and the target web app, intercepting traffic and actively probing for vulnerabilities. Whether you’re a developer running quick checks on a staging environment or a pentester performing a full engagement, ZAP gives you a powerful, free toolkit for finding web application flaws.
Installing OWASP ZAP
ZAP runs on any platform with Java. The easiest way to get it on Kali Linux or Ubuntu is:
sudo apt update && sudo apt install zaproxy -y
Or download the cross-platform installer directly from zaproxy.org. ZAP also ships as a Docker image, which is ideal for CI/CD pipelines:
docker pull ghcr.io/zaproxy/zaproxy:stable
Launch the GUI with zaproxy or start the headless daemon for scripted scanning.
Understanding ZAP’s Core Modes
ZAP operates in several modes that control what it’s allowed to do:
- Safe Mode — No attacks; useful for browsing without risk.
- Protected Mode — Only attacks URLs in scope.
- Standard Mode — Full access, attacks any URL.
- ATTACK Mode — Actively scans nodes as soon as they are discovered.
For authorized testing, Standard or Protected mode is typically the right choice. Always define a scope before running active scans.
Setting Up a Manual Proxy
ZAP’s default proxy listens on 127.0.0.1:8080. Configure your browser (or use ZAP’s built-in browser) to route traffic through this address. Once traffic flows through ZAP, every request and response is recorded in the Sites tree on the left panel.
For Firefox, go to Settings > Network Settings > Manual proxy configuration and set HTTP proxy to 127.0.0.1, port 8080. Install the ZAP root CA certificate (found under Tools > Options > Dynamic SSL Certificates) into your browser’s certificate store to intercept HTTPS traffic cleanly.
Passive Scanning: Zero-Risk Reconnaissance
Passive scanning happens automatically as you browse. ZAP inspects every request and response without sending any additional traffic to the server. It flags issues like:
- Missing security headers (
Content-Security-Policy, X-Frame-Options)
- Cookies without
HttpOnly or Secure flags
- Information disclosure in server headers
- Insecure form submissions over HTTP
Browse through the entire application — log in, navigate all pages, submit forms — while ZAP silently maps the attack surface. When you’re done, check the Alerts tab for passive findings.
Spidering and AJAX Crawling
Before active scanning, use the spider to discover URLs automatically.
Traditional Spider
Right-click any node in the Sites tree and select Attack > Spider. ZAP will follow links, parse HTML, and submit forms to enumerate pages. This works well for server-rendered applications.
AJAX Spider
For single-page applications (React, Angular, Vue) where content loads dynamically, use the AJAX Spider instead:
Tools > AJAX Spider > Start Scan
The AJAX Spider launches a real browser (Chromium by default) and interacts with JavaScript-rendered content, giving ZAP a far more complete picture of modern web apps.
Running an Active Scan
Active scanning sends crafted payloads to the target to trigger real vulnerabilities. Only run active scans against applications you own or have explicit written permission to test.
- Right-click the target in the Sites tree.
- Select Attack > Active Scan.
- Choose your scan policy (Default Policy covers OWASP Top 10 checks).
- Click Start Scan.
ZAP will test for SQL injection, XSS, command injection, path traversal, XXE, and dozens of other vulnerability classes. Active scans generate significant traffic, so run them against dedicated test environments when possible.
Custom Scan Policies
Navigate to Analyze > Scan Policy Manager to create custom policies. You can enable or disable specific scanners, adjust attack strength (Low/Medium/High/Insane), and set alert thresholds. For a quick scan, reduce strength; for a thorough engagement, crank everything to High.
Fuzzing with ZAP
ZAP includes a powerful fuzzer. Highlight any parameter in a recorded request, right-click, and choose Fuzz. Add payloads from ZAP’s built-in fuzz lists (located in ~/.ZAP/fuzzers/) or import your own wordlists. The fuzzer displays response codes, sizes, and time deltas, making it easy to spot anomalies that indicate injection points.
Fuzz list locations:
~/.ZAP/fuzzers/dirbuster/ # directory brute-forcing
~/.ZAP/fuzzers/fuzzdb/ # injection payloads
Automated Scanning with the ZAP CLI
For CI/CD integration, ZAP’s command-line interface is the tool of choice. Run a baseline scan (passive only) against a staging URL:
docker run --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://staging.example.com \
-r zap-report.html \
-I
For a full active scan:
docker run --rm ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://staging.example.com \
-r full-report.html
The -I flag tells ZAP to return exit code 0 even if alerts are found, which prevents the CI pipeline from failing during initial baseline setup.
Reading ZAP Reports
ZAP generates HTML, XML, JSON, and Markdown reports. Each alert includes:
- Risk level (High/Medium/Low/Informational)
- Confidence (False Positive/Low/Medium/High)
- Description and Solution
- The specific request and response that triggered the alert
- A CWE and WASC reference
High-risk, high-confidence findings should be addressed immediately. Cross-reference alerts with the OWASP Top 10 to prioritize remediation.
Authentication and Session Management
ZAP supports authenticated scanning through form-based, HTTP Basic, and script-based authentication. Configure it under Context > Authentication. Set up a logged-in and logged-out indicator (a string that appears only on authenticated pages) so ZAP can detect session expiry and re-authenticate automatically during long scans.
Tips for Better Results
- Define context and scope before scanning to avoid hitting third-party services.
- Exclude logout URLs from the spider to prevent ZAP from logging itself out mid-scan.
- Use HUD (Heads Up Display) mode to see alerts overlaid directly in the browser as you manually browse.
- Combine ZAP with Burp Suite — use ZAP for automated scanning and Burp for manual interception and exploitation.
Conclusion
OWASP ZAP is a versatile, beginner-friendly, and genuinely capable web application security tool. Its passive scanning, active attack engine, AJAX spider, and CI/CD-ready CLI make it equally useful for developers doing shift-left security testing and pentesters conducting full assessments. Master ZAP alongside manual testing techniques, and you’ll have a solid foundation for web application security work.