1. Home
2. web
3. OWASP ZAP: Web Application Security Testing Guide

OWASP ZAP: Web Application Security Testing Guide

Web application security is no longer optional — it is a fundamental requirement for protecting user data and maintaining trust. OWASP ZAP (Zed Attack Proxy) is one of the most popular open-source security testing tools available. It helps developers and security professionals identify vulnerabilities in web applications through automated scanning and manual testing features. This guide covers the full workflow, from installation to remediation.

Step 1: Installing OWASP ZAP

ZAP runs on Windows, macOS, and Linux. Choose the instructions for your platform.

Windows

1. Visit the official ZAP download page.
2. Download the latest stable Windows installer (.exe).
3. Run the installer and follow the setup wizard.
4. Launch ZAP from the Start menu or desktop shortcut.

macOS

1. Go to the official ZAP download page and download the macOS package.
2. Mount the .dmg file and drag ZAP to your Applications folder.
3. Open ZAP from Applications. If macOS blocks it, go to System Settings > Privacy & Security and allow the app.
4. Alternatively, install via Homebrew: brew install --cask zap.

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install zaproxy

After installation, launch ZAP from the terminal with zaproxy or find it in your application menu.

Step 2: Configuring the Target Application

Once ZAP is running, you need to define the scope of your test:

1. On the welcome screen, click Quick Start and then Set up a new Context.
2. A context defines the boundaries of the application you are testing — its URLs, authentication methods, and technical environment.
3. Under Include in Context, add the base URL of the target application (e.g., https://example.com).
4. Click Include to confirm. You can add multiple URLs if the application spans several domains.
5. Click Finish to save the context.

Properly scoping the context ensures that ZAP focuses its scans only on the intended target and avoids accidentally testing third-party services.

Step 3: Running an Active Scan

Active scanning attempts to find vulnerabilities by sending malicious payloads to the application and observing the responses. This is the core of ZAP’s automated testing capability:

1. In the left navigation pane, select the Sites tree. Find your target URL.
2. Right-click the target and choose Attack > Active Scan.
3. ZAP will begin sending requests designed to probe for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and path traversal.
4. The scan progress appears in the bottom panel. Depending on the size of the application, this may take several minutes.

When the scan completes, results appear in the Alerts tab, organized by risk level (High, Medium, Low, Informational).

Alert Risk Levels

Step 4: Passive Scanning

Passive scanning observes traffic without sending any malicious payloads. It analyzes requests and responses as they pass through ZAP’s proxy, identifying issues like missing security headers, cookie misconfigurations, and information leaks:

1. Ensure the Passive Scan toggle is enabled in the main toolbar.
2. Browse the target application normally through ZAP’s proxy (by default, ZAP listens on localhost:8080).
3. As you navigate, ZAP silently analyzes every request and response.
4. Issues detected by the passive scanner appear in the Alerts tab alongside active scan results.

Passive scanning is safe to run against any application because it does not modify requests. It is an excellent starting point for a preliminary security assessment.

To customize scan settings, go to Tools > Options and adjust thresholds under Passive Scan Rules.

Step 5: Generating Reports

After scanning, share the results with your team. ZAP supports multiple report formats:

1. From the menu bar, select Report > Generate Report.
2. Choose your preferred format:
   • HTML: Human-readable report with charts and severity breakdowns.
   • XML: Machine-readable for integration with other tools.
   • JSON: Structured data suitable for programmatic processing.
3. Customize which alerts to include by risk level.
4. Click Generate Report and save the file.

Reports include descriptions of each vulnerability, the affected URL, evidence from the scan, and remediation advice. Share these with developers to prioritize fixes.

Step 6: Fixing and Retesting

Identifying vulnerabilities is only half the battle — the real value comes from fixing them and verifying the fixes:

1. Work with the development team to address each vulnerability. ZAP’s alert details often include specific code-level guidance.
2. After fixes are deployed, run a new active scan against the same context to confirm the issues are resolved.
3. Compare the new alert list with the original report. All previously flagged High and Medium issues should be gone or reduced in severity.
4. Repeat this cycle regularly. Security testing is not a one-time activity — integrate it into your CI/CD pipeline.

For automated pipelines, ZAP offers a headless mode and Docker images that can be invoked from the command line:

docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py \
  -t https://example.com \
  -r report.html

Summary

OWASP ZAP is a powerful, free tool that puts professional-grade security testing within reach of every development team. By mastering active scanning, passive analysis, report generation, and retesting workflows, you can dramatically improve your application’s security posture. Make ZAP a regular part of your development lifecycle and build security into your software from the start.