What is Zed Attack Proxy (Formerly OWASP ZAP)?
OWASP ZAP, now known as Zed Attack Proxy, is a free, open-source web application security scanner, originally developed by the OWASP project, and currently maintained by Checkmarx. It's a dynamic application security testing (DAST) tool designed to find vulnerabilities in web applications while they are running. ZAP is widely used by security professionals and developers to identify and address security weaknesses in web applications before deployment.
Key features and functionality:
- Dynamic Application Security Testing (DAST): ZAP focuses on testing web applications in their running state, simulating real-world attacks to uncover vulnerabilities.
- Active and passive scanning: ZAP offers both active and passive scanning modes. Active scanning sends malicious requests to the application to test for vulnerabilities, while passive scanning analyzes traffic passing through ZAP without actively interacting with the application.
- Automated and manual testing: ZAP supports automated scans for quick vulnerability identification and manual testing for in-depth analysis and targeted attacks.
- Spidering: ZAP includes spidering functionality to crawl a website, discover its pages, and identify potential entry points for attacks. It also has an AJAX Spider for single-page applications.
- Fuzzer: ZAP's fuzzer allows users to send unexpected or incorrect data to a web application to test its robustness and identify potential vulnerabilities.
- Authentication and session management: ZAP can be configured to handle authentication and session management, allowing it to test authenticated areas of a web application.
- Contexts: ZAP uses contexts to define the scope of testing, allowing users to focus on specific parts of a web application.
- Alerts and reporting: ZAP identifies potential vulnerabilities and reports them as alerts, providing detailed information about the issue and its potential impact.
- Extensibility: ZAP can be extended with add-ons to enhance its functionality and integrate with other tools.
You can get Zed Attack Proxy from the official project page.
In this article:
Zed Attack Proxy originated as a fork of the Paros proxy, an earlier web security testing tool developed by Chinotec Technologies. The fork was led by Simon Bennetts, who aimed to modernize the codebase and expand functionality to better support dynamic web application security testing. Over time, the majority of the original Paros code was replaced as ZAP evolved into a distinct project.
The first public release of ZAP was announced in September 2010, and it became an official OWASP project shortly afterward. In 2023, the project transitioned to the Linux Foundation as part of the Software Security Project, reflecting its maturity and broader industry relevance. By 2024, the core development team joined Checkmarx, and the tool was rebranded as ZAP by Checkmarx, while remaining open source under the Apache License.
1. Dynamic Application Security Testing (DAST)
OWASP ZAP’s foundation lies in dynamic application security testing (DAST), enabling it to analyze live web applications for security vulnerabilities. By examining applications in “black box” mode, ZAP interacts with running services and simulates real-world attacks, such as cross-site scripting (XSS), SQL injection, and insecure direct object references. This method does not require access to the application’s source code or internal workings, making it broadly applicable.
DAST helps developers and testers discover vulnerabilities that might otherwise go unnoticed in static code reviews. ZAP’s functionality is valuable for identifying security issues arising from application misconfigurations, faulty business logic, and unhandled user input, all of which can only be found through dynamic analysis rather than code-level inspection.
2. Active and Passive Scanning
Active scanning in ZAP involves sending crafted requests to an application, probing for vulnerabilities by simulating attacks. This technique actively looks for security holes but should only be run against test environments, as it may disrupt the application or generate unwanted data. The scanner looks for issues like injection flaws, authentication bypasses, and session management problems.
Passive scanning, in contrast, monitors standard application traffic and analyzes requests and responses without modifying them. It’s a non-intrusive method ideal for detecting problems that don’t require active probing, such as missing security headers, information leakage, or insecure cookies. Combining both scanning methods provides thorough coverage and enables testers to manage the risk associated with scanning production environments.
3. Automated and Manual Testing
OWASP ZAP supports automated security testing, making it possible to integrate vulnerability checks into continuous integration (CI) or continuous deployment (CD) pipelines. Automation reduces manual labor, increases scalability, and helps teams uncover security regressions early in the development lifecycle. Command-line options and APIs let users script and schedule recurring scans to maintain security standards.
Manual testing features allow security professionals to dig deeper and perform custom attacks or analysis. ZAP’s user interface provides controls for intercepting requests, modifying parameters, and replaying traffic. This flexibility enables testers to fine-tune their approach, test business logic scenarios, and explore areas where automated scanners might fall short.
4. Spidering
The spidering feature in ZAP automatically crawls a web application to discover all accessible pages and endpoints. It parses HTML, JavaScript, and other resources to build an accurate site map for further analysis. Spidering maps application structure and finds hidden content, supporting both authenticated and unauthenticated sessions.
During spidering, ZAP can be configured to target specific paths, follow links, or even parse custom URL schemes and JavaScript-driven navigation. This capability ensures comprehensive coverage, especially for applications with complex client-side interactions or dynamic content generation, which might be missed by simpler crawlers.
5. Fuzzing Capabilities
OWASP ZAP's fuzzer finds security vulnerabilities by sending malformed or unexpected input data to application endpoints. Fuzzing helps uncover buffer overflows, input validation flaws, and injection vulnerabilities that could compromise the system. ZAP supports a range of payload lists and encodings, allowing testers to fine-tune their fuzzing strategies based on target application characteristics.
Fuzzing can be applied to various attack surfaces, including forms, URL parameters, cookies, headers, and API endpoints. The tool provides real-time feedback as it sends inputs, highlighting anomalies or potential vulnerabilities. This approach helps expose issues not easily detectable by basic scans or static analysis, further expanding ZAP’s security coverage.
6. Authentication and Session Management
Effective security testing requires the ability to simulate authenticated and unauthenticated users. ZAP’s authentication features allow testers to record login sequences, use custom authentication scripts, and maintain session state throughout scanning and fuzzing. This is crucial for thorough assessment of protected areas, multi-step workflows, and user-specific vulnerabilities.
Session management support in ZAP includes handling cookies, tokens, and other mechanisms used by modern applications to track users. Testers can replay sessions, assess authorization controls, and confirm that improper access is not possible. By analyzing how sessions and authentication are enforced, ZAP enables the detection of privilege escalation, broken authentication, and session fixation bugs.
7. Contexts
Contexts in OWASP ZAP define the scope of testing by grouping related URLs, parameters, users, and authentication settings. They allow testers to specify which parts of an application should be included or excluded from scans, helping avoid unintended testing of out-of-scope assets. This is especially useful for large or complex applications with multiple domains or functional areas.
By using contexts, testers can apply different authentication methods, session handling rules, and scan policies to specific application areas. This makes testing more precise and repeatable, reducing noise in scan results and ensuring that security assessments focus on the most relevant components.
8. Alerts and Reporting
ZAP organizes identified vulnerabilities as alerts, assigning risk levels and categorizing issues for easier management. Its alert mechanism allows users to filter and prioritize findings based on severity, type, or affected component. Each alert contains a detailed description, references, and remediation advice to facilitate effective vulnerability management.
Flexible reporting options in ZAP support different formats, including HTML, XML, and JSON, making it easy to share results with developers, managers, or compliance teams. Reports can be customized to focus on specific vulnerability classes, affected files, or scan timeframes. Automated report generation assists in documenting testing results for audits and ongoing security tracking.
9. Extensibility
OWASP ZAP is designed to be extensible through a rich add-on ecosystem. Add-ons can introduce new scanners, passive checks, authentication methods, or user interface enhancements. This modular approach allows users to tailor ZAP to their specific testing requirements without modifying the core application.
In addition to add-ons, ZAP supports scripting and automation through its REST-based API and daemon mode. These capabilities enable integration with external tools, custom workflows, and CI/CD pipelines. Extensibility ensures ZAP can adapt to new technologies, protocols, and testing scenarios as web application architectures continue to evolve.
Uri Dorot
Uri Dorot is a senior product marketing manager at Radware, specializing in application protection solutions, service and trends. With a deep understanding of the cyberthreat landscape, Uri helps bridge the gap between complex cybersecurity concepts and real-world outcomes.
Tips from the expert:
In my experience, here are tips that can help you better use Zed Attack Proxy (OWASP ZAP) for advanced and effective web application security testing:
Run ZAP with custom scan policies tailored to your threat model: Instead of relying on the default scan policies, create custom scan profiles that prioritize your most relevant threat classes (e.g., API-specific vulnerabilities, business logic flaws). This minimizes noise and accelerates meaningful findings, especially in environments with limited scanning time.
Chain ZAP with MITM tools for deeper traffic analysis: Use ZAP in tandem with tools like Burp Collaborator or mitmproxy to intercept DNS resolution, external callbacks, or out-of-band interactions. This is especially useful for identifying SSRF, blind XXE, or second-order injection vulnerabilities that ZAP may not catch on its own.
Leverage ZAP scripts to simulate complex workflows or business logic: Use ZAP’s scripting engine (e.g., with JavaScript, Jython, or Zest) to simulate multi-step processes like shopping carts, file uploads, or token renewals. Automating these flows allows for more thorough vulnerability coverage beyond what basic crawling can reach.
Use parameter-based context targeting for microservice architectures: When testing microservices or APIs behind the same domain, use ZAP contexts to define rules based on path or parameter patterns (e.g., /api/user/*). This isolates scanning efforts and aligns with how access controls and data flows are segmented in modern apps.
Instrument ZAP to test authenticated REST APIs with token refresh logic: Many REST APIs rely on short-lived access tokens with refresh flows. Write authentication scripts in ZAP to handle token renewal during long scans. This prevents incomplete scans due to session expiration and allows for full API enumeration.
Automated Scanning in CI/CD Pipelines
Integrating OWASP ZAP with CI/CD pipelines helps teams embed security testing into the software development lifecycle. Automated scans run alongside build or deployment jobs, immediately flagging new vulnerabilities as code changes. This process ensures issues are caught early, reducing the effort and cost required for remediation later in development or production.
API Security Testing
ZAP’s API security testing capabilities are essential for modern applications that rely heavily on REST, SOAP, or GraphQL services. The tool enables discovery and testing of API endpoints by importing OpenAPI/Swagger definitions or by observing application traffic. Once endpoints are mapped, ZAP scans for vulnerabilities such as improper authentication, excessive data exposure, or injection flaws specific to APIs.
Security Regression Testing
Regular regression testing with OWASP ZAP ensures that new features or code changes do not introduce security vulnerabilities into an application. By scripting or automating scan routines, security teams can rapidly verify that previously fixed issues remain resolved and no new weaknesses are present.
Real-Time Communication Testing
Modern web applications often implement WebSocket or other real-time communication protocols. ZAP supports interception and analysis of WebSocket traffic, allowing testers to inspect messages, modify payloads, and analyze communication patterns for security issues. This capability helps uncover vulnerabilities like message tampering, replay attacks, or improper authentication in real-time bidirectional channels.
Zed Attack Proxy (OWASP ZAP) offers a set of features for web application security testing, but like any tool, it comes with trade-offs. Below are the key advantages and limitations to consider:
Pros
- Free and open source: ZAP is completely free, with no licensing costs, making it accessible for organizations of all sizes.
- Active community and support: Maintained by OWASP and a large user base, ZAP benefits from frequent updates, extensive documentation, and community-contributed plugins.
- User-friendly interface: Its graphical interface is intuitive, lowering the barrier for beginners to perform security testing.
- Automation capabilities: ZAP can be easily integrated into CI/CD pipelines, supporting REST APIs, command-line operation, and scripting for automated scanning.
- Extensibility: The plugin-based architecture allows users to customize and extend functionality to fit specific testing needs.
- Testing modes: Offers both active and passive scanning, fuzzing, and authenticated testing, covering a wide range of vulnerabilities.
- Support for real-time protocols: Built-in tools to inspect WebSockets and other real-time communication methods are valuable for modern applications.
Cons
- Performance overhead: Active scanning and fuzzing can be resource-intensive and may slow down or disrupt the target application.
- Steeper learning curve for advanced features: While basic usage is straightforward, leveraging advanced features like scripting or custom authentication may require deeper knowledge.
- Limited reporting customization: Though it supports multiple formats, report customization is relatively basic compared to some commercial tools.
- No native static analysis: ZAP focuses on dynamic testing and does not provide static code analysis, so it may miss vulnerabilities that only appear in source code.
- Less polished than commercial tools: As an open-source project, ZAP may lack the polish, dedicated support, and enterprise integration features found in paid solutions.
To begin using Zed Attack Proxy, download the appropriate installer for your operating system from the official ZAP download page. Installers are available for Windows, Linux, macOS, and as Docker images.
System Requirements and Installation
ZAP requires Java 17 or higher. While the macOS installer includes a compatible Java version, users on Windows, Linux, and other platforms must install Java separately. Docker users don’t need to install Java, as it’s bundled within the container.
Installation steps:
- Windows/Linux/macOS: Run the downloaded installer and follow the on-screen prompts. On first launch, accept the license agreement to complete the setup.
- macOS note: If you receive a security warning (“ZAP.app can’t be opened”), go to System Preferences > Security & Privacy and choose Open Anyway to bypass the block.
Starting ZAP and Session Management
When ZAP launches for the first time, it will ask whether to persist the session. Persistent sessions save scan data to disk and can be resumed later, while non-persistent sessions are deleted when ZAP closes.
For initial testing, choose “No, I do not want to persist this session”, and click Start. You can enable persistence later if needed.
Overview of the ZAP User Interface
Once ZAP is running, the desktop UI provides access to both automated and manual testing tools through several key components:
- Menu bar: Access to scanning tools, settings, and help documentation
- Toolbar: Quick access to commonly used actions
- Tree window: Displays the application structure and scripts
- Workspace window: Shows request/response data, and allows editing
- Information window: Displays scan details and alert information
- Footer: Summarizes active alerts and scanning progress
Running an Automated Scan
The fastest way to start testing with ZAP is through the Quick Start tab.
To launch an automated scan:
- Go to the Quick Start tab in the workspace window.
- Click Automated Scan.
- Enter the full URL of your target web application.
- Click Attack.
ZAP will:
- Crawl the target using its traditional spider (HTML parsing) and optionally the AJAX spider (JavaScript-based crawling)
- Perform a passive scan of all discovered pages and requests
- Run an active scan to probe for known vulnerabilities
Important: Active scanning mimics real attacks and can affect application state or data. Only use it on systems you have explicit permission to test.
Viewing Scan Results
As ZAP analyzes the target, it generates alerts and builds a map of the site.
To view results:
- Use the Sites tab in the tree window to browse discovered pages.
- Open the Alerts tab in the information window to see vulnerabilities categorized by risk level.
Click on an alert to view details, including the vulnerable URL, evidence, and recommended remediation steps.
View full HTTP request and response details under the Response tab in the workspace window.
Manual Exploration
Automated scans may miss parts of the application, especially behind login pages or dynamic content. Manual exploration allows testers to navigate the application directly via a browser that proxies through ZAP.
To manually explore an application:
- Click Manual Explore in the quick start tab.
- Enter the application URL.
- Select a browser and click Launch Browser.
ZAP will monitor and passively scan all traffic during exploration, updating the site tree and logging any issues.
Note: If using a browser profile with plugins or saved settings, you’ll need to configure the proxy settings manually and trust ZAP’s root certificate.
Using the Heads-Up Display (HUD)
When using manual explore, ZAP enables the HUD by default. This in-browser overlay gives direct access to ZAP tools and security insights without leaving the application view.
The HUD supports modern browsers like Chrome and Firefox. Firefox users may need to disable Enhanced Tracking Protection to view the HUD.
The HUD tutorial appears on first launch and explains its panels and features, which help users identify issues in real time as they interact with the application.
OWASP ZAP is widely used for dynamic application security testing during development and CI/CD workflows. However, DAST tools primarily identify vulnerabilities in pre-production or staging environments. They do not provide continuous runtime protection, behavioral monitoring, or automated mitigation once applications are live in production. This is where enterprise-grade application protection platforms become essential.
Radware Cloud Application Protection Service extends beyond vulnerability discovery by delivering continuous, real-time protection across web applications and APIs. It combines Web Application Firewall (WAF), API security, bot management, and application-layer DDoS protection into a unified platform. Instead of only identifying exploitable weaknesses, it actively blocks attacks such as injection attempts, credential stuffing, business logic abuse, and automated scraping in live environments.
For teams that use ZAP in CI/CD pipelines, Radware Cloud WAF Service provides runtime enforcement of secure coding outcomes by applying positive security models, schema validation, and adaptive behavioral analysis. This ensures that vulnerabilities that slip through testing or are introduced post-deployment are mitigated before they can be exploited.
In high-risk or high-traffic environments, Radware DefensePro and Cloud DDoS Protection Service add multi-layer DDoS protection to maintain availability during volumetric or multi-vector attacks. This layered model bridges the gap between vulnerability testing and real-world threat mitigation.
Together, these capabilities position Radware as a production-ready complement to OWASP ZAP. While ZAP helps identify weaknesses during development, Radware ensures applications remain protected, available, and resilient under active attack conditions.