OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner maintained by OWASP. It's designed for finding vulnerabilities in web applications during development and testing.

Key Features

• Intercepting Proxy: View and modify requests/responses
• Active Scanner: Automated vulnerability scanning
• Passive Scanner: Non-intrusive issue detection
• Spidering: Automatic site crawling
• Fuzzer: Parameter manipulation testing
• Forced Browse: Directory enumeration

Usage Modes

# Desktop GUI
zap.sh

# Headless/daemon mode
zap.sh -daemon -port 8080

# Command line scan
zap-cli quick-scan --self-contained http://target.com

# Docker
docker run -t owasp/zap2docker-stable zap-baseline.py -t http://target

Automation Scripts

# Baseline scan (CI/CD friendly)
zap-baseline.py -t http://target.com

# Full scan
zap-full-scan.py -t http://target.com

# API scan
zap-api-scan.py -t http://target.com/openapi.json -f openapi

CI/CD Integration

ZAP provides Docker images and scripts for integration into Jenkins, GitLab CI, GitHub Actions, and other CI/CD platforms.

Advantages

• Completely free and open source
• Active community development
• Extensive add-on marketplace
• Good for automation and DevSecOps

See Also

• Burp Suite
• OWASP Top 10
• Nuclei