Skip to content
>_devvkit
$devvkit learn --librarie owasp-zap-guide

OWASP ZAP Guide

[security][web][scanner][pentest]
Security & Cryptography
Install
# Download from zaproxy.org/download/
# macOS:
brew install --cask zap
# Docker:
docker pull ghcr.io/zaproxy/zaproxy
# Linux/WSL: download and run zap.sh

ZAP (Zed Attack Proxy) sits between your browser and the target web app, intercepting traffic to identify vulnerabilities: XSS, SQL injection, CSRF, insecure headers, missing CORS, and more. It works as both an intercepting proxy and an automated scanner.

The Quick Start tab has an "Automated Scan" — enter a URL and ZAP spiders the site, passively scans every request/response, and actively attacks discovered endpoints. Use the HUD (Heads-Up Display) overlay for in-browser control.

ZAP runs headless in CI via `zap.sh -cmd -quickurl https://example.com -quickout report.html`. The Docker image is ideal for CI pipelines. OpenAPI and GraphQL support auto-imports API definitions. GUI: ZAP Desktop UI, Burp Suite Community (alternative).

Automated Scan

Quick automated scanSpider + passive + active scan.
# CLI:
zap.sh -cmd -quickurl https://example.com -quickout report.html

# Or in Docker:
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy \
  zap.sh -cmd -quickurl https://example.com \
  -quickout /zap/wrk/report.html

# JSON report:
  -quickout /zap/wrk/report.json
Passive scan rulesCheck security headers.
# Disable specific rules (noisy ones):
  -config rules.cookie.set.alert=false
  -config rules.csrf.alert=false

# Enable all passive scan rules (in zap.conf):
# See: /zap/configs/scripts/ for custom scripts

# Check for missing headers automatically:
# ZAP flags: missing X-Frame-Options, X-Content-Type-Options, CSP, HSTS
Export resultsMultiple report formats.
# HTML report:
  -quickout /zap/wrk/report.html
# JSON (for further processing):
  -quickout /zap/wrk/report.json
# SARIF (GitHub Code Scanning):
zap.sh -cmd -quickurl https://example.com \
  -quickout /zap/wrk/report.sarif.json

HUD Mode

HUD (Heads-Up Display)In-browser attack UI.
# Enable HUD in ZAP Desktop:
# Tools → HUD → Enable HUD
# Or pass to CLI:
zap.sh -hud

# HUD overlays your browser with:
# - Alert count badges
# - Break/Continue buttons (intercept requests)
# - Quick attack buttons (XSS, SQLi, etc.)
# - History explorer

# Tutorial at: https://github.com/zaproxy/zap-hud

API Scan

Docker with API scanScan with OpenAPI spec.
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy \
  zap-api-scan.py -t https://example.com/openapi.json \
  -f openapi -r /zap/wrk/api-report.html

# GraphQL:
zap-graphql-scan.py -t https://example.com/graphql \
  -r report.html

# With authentication:
  -C "Bearer token123"

CI / Docker

CI integrationGitHub Actions / Jenkins.
# GitHub Actions (zap-full-scan.yml):
# uses: zaproxy/action-full-scan@v0
# with:
#   target: "https://staging.example.com"
#   rules_file_name: ".zap/rules.tsv"

# Fail on high/critical alerts:
docker run -v $(pwd):/zap/wrk:rw \
  -e ZAP_JVM_OPTS="-Dzap.failOnAlert=High" \
  ghcr.io/zaproxy/zaproxy zap-full-scan.py \
  -t https://example.com -r /zap/wrk/report.html
  -I  # Disable active scan (passive only, faster)
Alert filteringIgnore false positives.
# .zap/rules.tsv (tab-separated)
# RuleId  NewLevel  NewConfidence  Description
10055    IGNORE     IGNORE         # CORS header: ignore
10038    FALSE      MEDIUM         # CSP: mark as false positive

# Apply:
  -config "rulesfile=/zap/wrk/.zap/rules.tsv"

Manual Testing

Context + authScan authenticated pages.
# Desktop workflow:
# 1. Right-click site → "Include in Context"
# 2. Configure authentication (form-based, cookie, OAuth)
# 3. Set logged-in/out indicators
# 4. Run spider + active scan within context

# CLI with env vars:
export ZAP_AUTH_HEADER="Value"
  -config view.authentication.header.header_name=X-API-Key
  -config view.authentication.header.header_value=secret