OWASP ZAP Tutorial
Beginner · ⏱ 20 min read · Bug Bounty & Offensive Security
Free. Powerful. Open-source web app security testing.
OWASP ZAP is the world's most popular free web application security scanner with automated scanning, manual testing, and CI/CD integration.
Prerequisites
- OWASP ZAP installed (zaproxy.org)
- A target app (OWASP Juice Shop recommended)
- Basic web technology knowledge
Installation & Quick Start
Download from zaproxy.org. Launch and choose Automated Scan for quick assessment. Also available as Docker image.
Manual Explore Mode
Configure ZAP as proxy (localhost:8080), browse target manually, ZAP builds a site tree.
HUD (Heads-Up Display)
ZAP HUD overlays security info directly in your browser while browsing.
Active Scanning
After exploring, run Active Scan to test for OWASP Top 10 vulns: SQLi, XSS, SSRF, etc.
Scan Policies
Customize which checks run. Create separate policies for quick vs thorough scans.
Authentication Handling
Configure ZAP to authenticate and maintain sessions for testing authenticated areas.
Form-Based Auth
Define login URL, POST params, and logged-in/out indicators.
Token Handling
Handles anti-CSRF tokens, session cookies, and JWT refresh automatically.
CI/CD Integration
Run ZAP in your pipeline with baseline, full-scan, or API-scan Docker images.
Scripting & Automation
Write custom scripts in Python, JavaScript, or Zest for complex testing.
Reporting
Generate HTML, XML, JSON, or Markdown reports. Integrate with Jira or DefectDojo.
Frequently Asked Questions
ZAP vs Burp Suite?
ZAP excels at automated scanning and CI/CD. Burp Pro has superior manual testing and extensions. Many use both.
Can ZAP scan APIs?
Yes. Import OpenAPI/Swagger or GraphQL schemas and ZAP tests API requests automatically.
Is ZAP truly free?
100% free and open-source. No paid tier. Community-maintained.