Skip to content

ZAP (Zed Attack Proxy) - Web App Security Scanner Cheatsheet

ZAP (Zed Attack Proxy) - Web App Security Scanner Cheatsheet

ZAP (Zed Attack Proxy, maintained by Checkmarx, formerly an OWASP flagship) is a free, open-source dynamic application security testing (DAST) tool. It sits between your browser and a target as an intercepting proxy, then passively and actively scans web apps and APIs for vulnerabilities. It combines a spider/crawler, a fuzzer, an active scanner, WebSocket support, and REST/GraphQL/SOAP API scanning — usable interactively via a GUI or headlessly via CLI and API for CI/CD.

Installation

PlatformCommand
Docker (recommended for CI)docker pull zaproxy/zap-stable
Debian/Ubuntudownload the installer from the ZAP site
macOS (Homebrew)brew install --cask zap
Cross-platformdownload the cross-platform package (needs Java)
Verifyzap.sh -version (or zap.bat on Windows)

Running Modes

CommandDescription
zap.shLaunch the desktop GUI
zap.sh -daemon -host 0.0.0.0 -port 8080Headless daemon with the API
zap.sh -cmd -quickurl https://target -quickout report.htmlOne-shot quick scan to a report
docker run -t zaproxy/zap-stable zap-baseline.py -t https://targetBaseline (passive) scan in Docker

Automation Framework (Scripted Scans)

ZAP’s packaged scan scripts are the fastest path to CI integration.

ScriptPurpose
zap-baseline.py -t URLPassive scan + spider (fast, CI-safe)
zap-full-scan.py -t URLBaseline + active attack scan
zap-api-scan.py -t openapi.json -f openapiScan an API from an OpenAPI/SOAP/GraphQL def
-r report.htmlWrite an HTML report
-J report.jsonWrite a JSON report
-c config.confAlert filter / rule config
# CI-friendly baseline scan, fail the build on findings
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://staging.example.com -r zap-report.html

Core Components

ComponentRole
ProxyIntercept/inspect/modify HTTP(S) traffic
SpiderCrawl the app to discover URLs
Ajax SpiderCrawl JS-heavy apps via a real browser
Passive ScanFlags issues from observed traffic (no attacks)
Active ScanSends attack payloads to find vulnerabilities
FuzzerInject payload lists into requests

Proxy Setup

StepHow
Set browser proxyPoint browser at localhost:8080
Install ZAP CA certImport ZAP’s root cert to intercept HTTPS
Manual exploreBrowse the app; ZAP records the traffic
Then scanSpider + active scan the discovered tree

The API (Automation)

With the daemon running, drive ZAP over HTTP.

EndpointAction
/JSON/spider/action/scan/?url=...Start a spider
/JSON/ascan/action/scan/?url=...Start an active scan
/JSON/core/view/alerts/Retrieve findings
/OTHER/core/other/htmlreport/Generate an HTML report
API keyPass apikey=... with requests

Authentication & Context

ConceptUse
ContextDefine the target scope and auth
Session mgmtCookie/HTTP/script-based sessions
AuthenticationForm, JSON, HTTP, or script auth
UsersTest as authenticated users

Common Workflows

# Quick passive baseline against staging in CI
zap-baseline.py -t https://staging.example.com -r report.html

# Scan a REST API from its OpenAPI spec
zap-api-scan.py -t https://api.example.com/openapi.json -f openapi -J out.json

# Full active scan (authorized targets only)
zap-full-scan.py -t https://target.example.com -r full.html

ZAP vs Other DAST Tools

AspectZAPNucleiBurp SuiteNikto
ModelProxy + crawl + active DASTTemplate CVE scannerProxy + manual + scannerServer misconfig scanner
CostFree/open-sourceFree/open-sourceFree + paid ProFree
API/CIStrong (API + scripts)StrongPro extensionsCLI
Best forFull app DAST, CIFast known-CVE checksManual pentestingQuick server checks

Common pairing: Nuclei for fast known-CVE detection plus ZAP for crawling application-level DAST.

Resources