Description
OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner. It's designed for both manual and automated security testing. Features include intercepting proxy, active/passive scanner, spider, fuzzer, and more.
Installation
BASH
# Kali (pre-installed)
zaproxy
# Download from zaproxy.org
# Available for Linux, macOS, Windows
# Docker
docker run -u zap -p 8080:8080 -p 8090:8090 owasp/zap2docker-stable zap-webswing.sh
# Snap (Linux)
sudo snap install zaproxy --classicBasic Usage
BASH
# Launch GUI
zaproxy
# Quick scan (automated)
zap-cli quick-scan https://target.com
# Baseline scan (CI/CD friendly)
docker run owasp/zap2docker-stable zap-baseline.py -t https://target.comAdvanced Usage
BASH
# Full scan (active + passive)
docker run owasp/zap2docker-stable zap-full-scan.py -t https://target.com -r report.html
# API scan (OpenAPI/Swagger)
docker run owasp/zap2docker-stable zap-api-scan.py -t https://target.com/api/v1/openapi.json -f openapi
# CLI with authentication
zap-cli -p 8080 open-url https://target.com/login
zap-cli -p 8080 spider https://target.com
zap-cli -p 8080 active-scan https://target.com
zap-cli -p 8080 report -o report.html -f html
# AJAX spider (for SPAs)
zap-cli -p 8080 ajax-spider https://target.comKey Features
- Intercepting Proxy — Capture and modify requests/responses
- Active Scanner — Automated attack with 100+ vulnerability checks
- Passive Scanner — Non-intrusive analysis of traffic
- Spider — Crawl web application to discover pages
- Fuzzer — Fuzz parameters with custom payloads
- WebSocket — Test WebSocket connections
- Add-ons — Extensive marketplace of extensions
Common Workflows
BASH
# CI/CD integration
docker run owasp/zap2docker-stable zap-baseline.py \
-t https://staging.target.com \
-r zap_report.html \
-x zap_report.xml
# Authenticated scan with context
# 1. Record login in ZAP GUI
# 2. Set authentication method in context
# 3. Run spider → active scan
# 4. Export results