<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Owasp-Zap on Commentary of Takao</title><link>https://takao.blog/ko/tags/owasp-zap/</link><description>Recent content in Owasp-Zap on Commentary of Takao</description><generator>Hugo -- gohugo.io</generator><language>ko</language><copyright>Commentary of Takao</copyright><lastBuildDate>Tue, 09 Jun 2026 00:00:00 +0900</lastBuildDate><atom:link href="https://takao.blog/ko/tags/owasp-zap/index.xml" rel="self" type="application/rss+xml"/><item><title>OWASP ZAP in 2026: Advanced Scanning and CI/CD Integration</title><link>https://takao.blog/ko/web/owasp-zap-advanced-2026/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0900</pubDate><guid>https://takao.blog/ko/web/owasp-zap-advanced-2026/</guid><description>&lt;img src="https://takao.blog/img/thumbnail/owasp-zap-advanced-2026-ko.png" alt="Featured image of post OWASP ZAP in 2026: Advanced Scanning and CI/CD Integration" /&gt;&lt;h2 id="beyond-basic-scanning"&gt;Beyond Basic Scanning
&lt;/h2&gt;&lt;p&gt;OWASP ZAP has evolved significantly since its early days. In 2026, it is no longer just a point-and-click proxy scanner — it is a full-featured security automation platform with a powerful API, a scriptable automation framework, and deep CI/CD integration. If you need the basics first, read our &lt;a class="link" href="https://takao.blog/web/how-to-owasp-zap/" &gt;OWASP ZAP 설치 and setup 가이드&lt;/a&gt;. This article covers advanced workflows for teams running security tests at scale.&lt;/p&gt;
&lt;h2 id="api-scanning-with-zap"&gt;API Scanning with ZAP
&lt;/h2&gt;&lt;p&gt;Modern applications rely heavily on REST and GraphQL APIs. ZAP&amp;rsquo;s OpenAPI and GraphQL support allows you to scan APIs without a browser.&lt;/p&gt;
&lt;h3 id="importing-an-openapi-specification"&gt;Importing an OpenAPI Specification
&lt;/h3&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#75715e"&gt;# Via ZAP API&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#e6db74"&gt;&amp;#34;http://localhost:8080/JSON/openapi/action/importUrl/?url=https://example.com/openapi.json&amp;amp;host=example.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;ZAP parses the specification and generates requests for every endpoint and parameter combination. For GraphQL APIs, provide the endpoint URL and schema introspection:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#e6db74"&gt;&amp;#34;http://localhost:8080/JSON/graphql/action/importUrl/?endpointUrl=https://api.example.com/graphql&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="automated-form-인증"&gt;Automated Form 인증
&lt;/h3&gt;&lt;p&gt;Modern web apps use complex 인증 flows. ZAP supports several auth methods:&lt;/p&gt;
&lt;table&gt;
	&lt;thead&gt;
			&lt;tr&gt;
					&lt;th&gt;Method&lt;/th&gt;
					&lt;th&gt;When to Use&lt;/th&gt;
			&lt;/tr&gt;
	&lt;/thead&gt;
	&lt;tbody&gt;
			&lt;tr&gt;
					&lt;td&gt;Browser-based&lt;/td&gt;
					&lt;td&gt;OAuth2, SSO, 로그인 flows with redirects&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;JSON-based&lt;/td&gt;
					&lt;td&gt;REST API with token-based auth&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;Script-based&lt;/td&gt;
					&lt;td&gt;Custom or legacy auth mechanisms&lt;/td&gt;
			&lt;/tr&gt;
	&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Configure 인증 via the &lt;strong&gt;Context&lt;/strong&gt; panel in the ZAP 데스크탑, or automate it through the API:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#75715e"&gt;# Set authentication credentials via ZAP API&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#e6db74"&gt;&amp;#34;http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/&amp;#34;&lt;/span&gt; &lt;span style="color:#ae81ff"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#e6db74"&gt;&amp;#34;contextId=1&amp;amp;authMethodName=browserBasedAuth&amp;amp;authMethodConfigParams=loginUrl=https://app.example.com/login&amp;amp;loginPageUrl=https://app.example.com/login&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="zap-automation-framework"&gt;ZAP Automation Framework
&lt;/h2&gt;&lt;p&gt;Introduced in ZAP 2.12, the Automation Framework replaces traditional shell scripts with declarative YAML-based plans. This is the recommended approach for 2026.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;env&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;contexts&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;name&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;my-app&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;urls&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#e6db74"&gt;&amp;#34;https://staging.example.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;jobs&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;spider&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;maxChildren&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;10&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;passiveScan-config&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;maxAlertsPerRule&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;50&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;activeScan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;maxScansInUI&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;report&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;template&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;traditional-html&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;reportDir&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;./reports&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;reportFile&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;zap-report-{{date}}.html&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Run the plan headlessly:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;zap.sh -cmd -autorun /path/to/plan.yaml
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This approach is reproducible, 버전-controllable, and removes the need for manual UI interaction. All job types (spider, activeScan, ajaxSpider, report, etc.) are configurable via YAML.&lt;/p&gt;
&lt;h2 id="cicd-pipeline-integration"&gt;CI/CD Pipeline Integration
&lt;/h2&gt;&lt;p&gt;ZAP integrates natively into GitHub Actions, GitLab CI, and Jenkins. The official ZAP Docker image (&lt;code&gt;softwaresecurityproject/zap-stable&lt;/code&gt;) makes this straightforward.&lt;/p&gt;
&lt;h3 id="github-actions-example"&gt;GitHub Actions Example
&lt;/h3&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;jobs&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;zap-scan&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;runs-on&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;ubuntu-latest&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;steps&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;uses&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;actions/checkout@v4&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;name&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;Run ZAP scan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;uses&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;zaproxy/action-full-scan@v0.12&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;with&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;target&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;https://staging.example.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;token&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;${{ secrets.ZAP_API_KEY }}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;rules_file_name&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;.zap/rules.tsv&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;cmd_options&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;-a&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="gitlab-ci-example"&gt;GitLab CI Example
&lt;/h3&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;zap-scan&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;image&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;softwaresecurityproject/zap-stable&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;script&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#ae81ff"&gt;mkdir -p reports&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#ae81ff"&gt;zap.sh -cmd -quickurl https://staging.example.com -quickprogress -quickout reports/zap.html&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;artifacts&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;paths&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#ae81ff"&gt;reports/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="fail-on-high-risk-issues"&gt;Fail on High-Risk Issues
&lt;/h3&gt;&lt;p&gt;Prevent vulnerable code from reaching production by enforcing a quality gate:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;zap.sh -cmd -autorun plan.yaml
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#75715e"&gt;# Parse the report and exit with non-zero if high-risk alerts exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#66d9ef"&gt;if&lt;/span&gt; grep -q &lt;span style="color:#e6db74"&gt;&amp;#39;&amp;#34;risk&amp;#34;: &amp;#34;High&amp;#34;&amp;#39;&lt;/span&gt; reports/zap-report.json; &lt;span style="color:#66d9ef"&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; echo &lt;span style="color:#e6db74"&gt;&amp;#34;High-risk vulnerabilities detected!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; exit &lt;span style="color:#ae81ff"&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#66d9ef"&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="context-based-scanning"&gt;Context-Based Scanning
&lt;/h2&gt;&lt;p&gt;Define contexts to scope scans to specific applications, preventing ZAP from wandering into third-party domains:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;env&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;contexts&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;name&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;my-app&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;urls&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#e6db74"&gt;&amp;#34;https://app.example.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;includePaths&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#e6db74"&gt;&amp;#34;/api/.*&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#e6db74"&gt;&amp;#34;/app/.*&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;excludePaths&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#e6db74"&gt;&amp;#34;/logout&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;authentication&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;method&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;browserBasedAuth&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;loginUrl&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;https://app.example.com/login&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Contexts also store session tokens, user credentials, and technology detection results, making scans more accurate and less noisy.&lt;/p&gt;
&lt;h2 id="websocket-scanning"&gt;WebSocket Scanning
&lt;/h2&gt;&lt;p&gt;ZAP now supports WebSocket traffic interception and fuzzing. This is critical for modern applications that rely on real-time communication:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;jobs&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;websocket&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;scanMessageList&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;&amp;#34;{\&amp;#34;type\&amp;#34;: &lt;/span&gt;&lt;span style="color:#ae81ff"&gt;\&amp;#34;ping\&amp;#34;}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;&amp;#34;{\&amp;#34;type\&amp;#34;: \&amp;#34;subscribe\&amp;#34;, \&amp;#34;channel\&amp;#34;: &lt;/span&gt;&lt;span style="color:#ae81ff"&gt;\&amp;#34;admin\&amp;#34;}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;WebSocket fuzzing can reveal message injection vulnerabilities, unexpected error responses, and authorization bypasses in real-time 기능.&lt;/p&gt;
&lt;h2 id="reducing-false-positives"&gt;Reducing False Positives
&lt;/h2&gt;&lt;p&gt;Alert filtering and threshold tuning improve signal-to-noise ratio. Set scan strength per rule:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f92672"&gt;jobs&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;activeScan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;alertThreshold&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;MEDIUM&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;attackStrength&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;DEFAULT&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;type&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;passiveScan-config&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;parameters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;maxAlertsPerRule&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;10&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;alertFilters&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; - &lt;span style="color:#f92672"&gt;ruleId&lt;/span&gt;: &lt;span style="color:#ae81ff"&gt;10010&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;newRisk&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;False Positive&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f92672"&gt;url&lt;/span&gt;: &lt;span style="color:#e6db74"&gt;&amp;#34;.*healthcheck.*&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Maintain a &lt;code&gt;.zap/rules.tsv&lt;/code&gt; file to 커스터마이즈 rule thresholds across all scans in your pipeline.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion
&lt;/h2&gt;&lt;p&gt;OWASP ZAP in 2026 is a mature, API-first security platform that fits seamlessly into modern development workflows. From declarative YAML plans to CI/CD quality gates, ZAP enables teams to find and fix vulnerabilities before they reach production. Pair it with the &lt;a class="link" href="https://takao.blog/web/how-to-owasp-zap/" &gt;basics covered in our earlier 가이드&lt;/a&gt; for a complete security testing strategy.&lt;/p&gt;</description></item><item><title>OWASP ZAP: Web Application Security Testing Guide</title><link>https://takao.blog/ko/web/owasp-zap/</link><pubDate>Fri, 20 Oct 2023 00:00:00 +0900</pubDate><guid>https://takao.blog/ko/web/owasp-zap/</guid><description>&lt;img src="https://takao.blog/img/thumbnail/how-to-owasp-zap-ko.png" alt="Featured image of post OWASP ZAP: Web Application Security Testing Guide" /&gt;&lt;h1 id="owasp-zap-web-application-security-testing-가이드"&gt;OWASP ZAP: Web Application Security Testing 가이드
&lt;/h1&gt;&lt;p&gt;Web application security is no longer optional — it is a fundamental requirement for protecting user data and maintaining trust. OWASP ZAP (Zed Attack Proxy) is one of the most popular open-source security testing tools available. It helps developers and security professionals identify vulnerabilities in web applications through automated scanning and manual testing 기능. This 가이드 covers the full workflow, from 설치 to remediation.&lt;/p&gt;
&lt;h2 id="step-1-installing-owasp-zap"&gt;Step 1: Installing OWASP ZAP
&lt;/h2&gt;&lt;p&gt;ZAP runs on Windows, macOS, and Linux. Choose the instructions for your platform.&lt;/p&gt;
&lt;h3 id="windows"&gt;Windows
&lt;/h3&gt;&lt;ol&gt;
&lt;li&gt;Visit the &lt;a class="link" href="https://www.zaproxy.org/%eb%8b%a4%ec%9a%b4%eb%a1%9c%eb%93%9c/" target="_blank" rel="noopener"
 &gt;official ZAP 다운로드 page&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;다운로드 the latest stable Windows installer (&lt;code&gt;.exe&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Run the installer and follow the setup wizard.&lt;/li&gt;
&lt;li&gt;Launch ZAP from the Start menu or 데스크탑 shortcut.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="macos"&gt;macOS
&lt;/h3&gt;&lt;ol&gt;
&lt;li&gt;Go to the &lt;a class="link" href="https://www.zaproxy.org/%eb%8b%a4%ec%9a%b4%eb%a1%9c%eb%93%9c/" target="_blank" rel="noopener"
 &gt;official ZAP 다운로드 page&lt;/a&gt; and 다운로드 the macOS package.&lt;/li&gt;
&lt;li&gt;Mount the &lt;code&gt;.dmg&lt;/code&gt; file and drag ZAP to your Applications folder.&lt;/li&gt;
&lt;li&gt;Open ZAP from Applications. If macOS blocks it, go to &lt;strong&gt;System 설정&lt;/strong&gt; &amp;gt; &lt;strong&gt;Privacy &amp;amp; Security&lt;/strong&gt; and allow the app.&lt;/li&gt;
&lt;li&gt;Alternatively, install via Homebrew: &lt;code&gt;brew install --cask zap&lt;/code&gt;.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="linux-debianubuntu"&gt;Linux (Debian/Ubuntu)
&lt;/h3&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo apt-get update
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo apt-get install zaproxy
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After 설치, launch ZAP from the terminal with &lt;code&gt;zaproxy&lt;/code&gt; or find it in your application menu.&lt;/p&gt;
&lt;h2 id="step-2-configuring-the-target-application"&gt;Step 2: Configuring the Target Application
&lt;/h2&gt;&lt;p&gt;Once ZAP is running, you need to define the scope of your test:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;On the welcome 화면, click &lt;strong&gt;Quick Start&lt;/strong&gt; and then &lt;strong&gt;Set up a new Context&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;context&lt;/strong&gt; defines the boundaries of the application you are testing — its URLs, 인증 methods, and technical environment.&lt;/li&gt;
&lt;li&gt;Under &lt;strong&gt;Include in Context&lt;/strong&gt;, add the base URL of the target application (e.g., &lt;code&gt;https://example.com&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;Include&lt;/strong&gt; to confirm. You can add multiple URLs if the application spans several domains.&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;Finish&lt;/strong&gt; to save the context.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Properly scoping the context ensures that ZAP focuses its scans only on the intended target and avoids accidentally testing third-party services.&lt;/p&gt;
&lt;h2 id="step-3-running-an-active-scan"&gt;Step 3: Running an Active Scan
&lt;/h2&gt;&lt;p&gt;Active scanning attempts to find vulnerabilities by sending malicious payloads to the application and observing the responses. This is the core of ZAP&amp;rsquo;s automated testing capability:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;In the left navigation pane, select the &lt;strong&gt;Sites&lt;/strong&gt; tree. Find your target URL.&lt;/li&gt;
&lt;li&gt;Right-click the target and choose &lt;strong&gt;Attack&lt;/strong&gt; &amp;gt; &lt;strong&gt;Active Scan&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;ZAP will begin sending requests designed to probe for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and path traversal.&lt;/li&gt;
&lt;li&gt;The scan progress appears in the bottom panel. Depending on the size of the application, this may take several minutes.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;When the scan completes, results appear in the &lt;strong&gt;Alerts&lt;/strong&gt; tab, organized by risk level (High, Medium, Low, Informational).&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;strong&gt;Alert Risk Levels&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
	&lt;thead&gt;
			&lt;tr&gt;
					&lt;th&gt;Risk Level&lt;/th&gt;
					&lt;th&gt;Example&lt;/th&gt;
					&lt;th&gt;Action Required&lt;/th&gt;
			&lt;/tr&gt;
	&lt;/thead&gt;
	&lt;tbody&gt;
			&lt;tr&gt;
					&lt;td&gt;High&lt;/td&gt;
					&lt;td&gt;SQL Injection, RCE&lt;/td&gt;
					&lt;td&gt;Immediate remediation&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;Medium&lt;/td&gt;
					&lt;td&gt;XSS, CSRF&lt;/td&gt;
					&lt;td&gt;Fix in current sprint&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;Low&lt;/td&gt;
					&lt;td&gt;Missing security headers&lt;/td&gt;
					&lt;td&gt;Address in next release&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;Informational&lt;/td&gt;
					&lt;td&gt;서버 banner disclosure&lt;/td&gt;
					&lt;td&gt;Review and document&lt;/td&gt;
			&lt;/tr&gt;
	&lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id="step-4-passive-scanning"&gt;Step 4: Passive Scanning
&lt;/h2&gt;&lt;p&gt;Passive scanning observes traffic without sending any malicious payloads. It analyzes requests and responses as they pass through ZAP&amp;rsquo;s proxy, identifying issues like missing security headers, cookie misconfigurations, and information leaks:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Ensure the &lt;strong&gt;Passive Scan&lt;/strong&gt; toggle is enabled in the main toolbar.&lt;/li&gt;
&lt;li&gt;Browse the target application normally through ZAP&amp;rsquo;s proxy (by default, ZAP listens on &lt;code&gt;localhost:8080&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;As you navigate, ZAP silently analyzes every request and response.&lt;/li&gt;
&lt;li&gt;Issues detected by the passive scanner appear in the &lt;strong&gt;Alerts&lt;/strong&gt; tab alongside active scan results.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Passive scanning is safe to run against any application because it does not modify requests. It is an excellent starting point for a preliminary security assessment.&lt;/p&gt;
&lt;p&gt;To 커스터마이즈 scan 설정, go to &lt;strong&gt;Tools&lt;/strong&gt; &amp;gt; &lt;strong&gt;Options&lt;/strong&gt; and adjust thresholds under &lt;strong&gt;Passive Scan Rules&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="step-5-generating-reports"&gt;Step 5: Generating Reports
&lt;/h2&gt;&lt;p&gt;After scanning, share the results with your team. ZAP supports multiple report formats:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;From the menu bar, select &lt;strong&gt;Report&lt;/strong&gt; &amp;gt; &lt;strong&gt;Generate Report&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Choose your preferred format:
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;HTML&lt;/strong&gt;: Human-readable report with charts and severity breakdowns.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;XML&lt;/strong&gt;: Machine-readable for integration with other tools.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JSON&lt;/strong&gt;: Structured data suitable for programmatic processing.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;커스터마이즈 which alerts to include by risk level.&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;Generate Report&lt;/strong&gt; and save the file.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Reports include descriptions of each vulnerability, the affected URL, evidence from the scan, and remediation advice. Share these with developers to prioritize fixes.&lt;/p&gt;
&lt;h2 id="step-6-fixing-and-retesting"&gt;Step 6: Fixing and Retesting
&lt;/h2&gt;&lt;p&gt;Identifying vulnerabilities is only half the battle — the real value comes from fixing them and verifying the fixes:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Work with the development team to address each vulnerability. ZAP&amp;rsquo;s alert details often include specific code-level guidance.&lt;/li&gt;
&lt;li&gt;After fixes are deployed, run a new active scan against the same context to confirm the issues are resolved.&lt;/li&gt;
&lt;li&gt;Compare the new alert list with the original report. All previously flagged High and Medium issues should be gone or reduced in severity.&lt;/li&gt;
&lt;li&gt;Repeat this cycle regularly. Security testing is not a one-time activity — integrate it into your CI/CD pipeline.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;For automated pipelines, ZAP offers a headless mode and Docker images that can be invoked from the command line:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run -v &lt;span style="color:#66d9ef"&gt;$(&lt;/span&gt;pwd&lt;span style="color:#66d9ef"&gt;)&lt;/span&gt;:/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable &lt;span style="color:#ae81ff"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; zap-full-scan.py &lt;span style="color:#ae81ff"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -t https://example.com &lt;span style="color:#ae81ff"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -r report.html
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="summary"&gt;Summary
&lt;/h2&gt;&lt;p&gt;OWASP ZAP is a powerful, free tool that puts professional-grade security testing within reach of every development team. By mastering active scanning, passive analysis, report generation, and retesting workflows, you can dramatically improve your application&amp;rsquo;s security posture. Make ZAP a regular part of your development lifecycle and build security into your software from the start.&lt;/p&gt;</description></item></channel></rss>