ZAP (Zed Attack Proxy) - Web App Security Scanner Cheatsheet
ZAP (Zed Attack Proxy, maintained by Checkmarx, formerly an OWASP flagship) is a free, open-source dynamic application security testing (DAST) tool. It sits between your browser and a target as an intercepting proxy, then passively and actively scans web apps and APIs for vulnerabilities. It combines a spider/crawler, a fuzzer, an active scanner, WebSocket support, and REST/GraphQL/SOAP API scanning — usable interactively via a GUI or headlessly via CLI and API for CI/CD.
Installation
| Platform | Command |
|---|
| Docker (recommended for CI) | docker pull zaproxy/zap-stable |
| Debian/Ubuntu | download the installer from the ZAP site |
| macOS (Homebrew) | brew install --cask zap |
| Cross-platform | download the cross-platform package (needs Java) |
| Verify | zap.sh -version (or zap.bat on Windows) |
Running Modes
| Command | Description |
|---|
zap.sh | Launch the desktop GUI |
zap.sh -daemon -host 0.0.0.0 -port 8080 | Headless daemon with the API |
zap.sh -cmd -quickurl https://target -quickout report.html | One-shot quick scan to a report |
docker run -t zaproxy/zap-stable zap-baseline.py -t https://target | Baseline (passive) scan in Docker |
Automation Framework (Scripted Scans)
ZAP’s packaged scan scripts are the fastest path to CI integration.
| Script | Purpose |
|---|
zap-baseline.py -t URL | Passive scan + spider (fast, CI-safe) |
zap-full-scan.py -t URL | Baseline + active attack scan |
zap-api-scan.py -t openapi.json -f openapi | Scan an API from an OpenAPI/SOAP/GraphQL def |
-r report.html | Write an HTML report |
-J report.json | Write a JSON report |
-c config.conf | Alert filter / rule config |
# CI-friendly baseline scan, fail the build on findings
docker run -t zaproxy/zap-stable zap-baseline.py \
-t https://staging.example.com -r zap-report.html
Core Components
| Component | Role |
|---|
| Proxy | Intercept/inspect/modify HTTP(S) traffic |
| Spider | Crawl the app to discover URLs |
| Ajax Spider | Crawl JS-heavy apps via a real browser |
| Passive Scan | Flags issues from observed traffic (no attacks) |
| Active Scan | Sends attack payloads to find vulnerabilities |
| Fuzzer | Inject payload lists into requests |
Proxy Setup
| Step | How |
|---|
| Set browser proxy | Point browser at localhost:8080 |
| Install ZAP CA cert | Import ZAP’s root cert to intercept HTTPS |
| Manual explore | Browse the app; ZAP records the traffic |
| Then scan | Spider + active scan the discovered tree |
The API (Automation)
With the daemon running, drive ZAP over HTTP.
| Endpoint | Action |
|---|
/JSON/spider/action/scan/?url=... | Start a spider |
/JSON/ascan/action/scan/?url=... | Start an active scan |
/JSON/core/view/alerts/ | Retrieve findings |
/OTHER/core/other/htmlreport/ | Generate an HTML report |
| API key | Pass apikey=... with requests |
Authentication & Context
| Concept | Use |
|---|
| Context | Define the target scope and auth |
| Session mgmt | Cookie/HTTP/script-based sessions |
| Authentication | Form, JSON, HTTP, or script auth |
| Users | Test as authenticated users |
Common Workflows
# Quick passive baseline against staging in CI
zap-baseline.py -t https://staging.example.com -r report.html
# Scan a REST API from its OpenAPI spec
zap-api-scan.py -t https://api.example.com/openapi.json -f openapi -J out.json
# Full active scan (authorized targets only)
zap-full-scan.py -t https://target.example.com -r full.html
| Aspect | ZAP | Nuclei | Burp Suite | Nikto |
|---|
| Model | Proxy + crawl + active DAST | Template CVE scanner | Proxy + manual + scanner | Server misconfig scanner |
| Cost | Free/open-source | Free/open-source | Free + paid Pro | Free |
| API/CI | Strong (API + scripts) | Strong | Pro extensions | CLI |
| Best for | Full app DAST, CI | Fast known-CVE checks | Manual pentesting | Quick server checks |
Common pairing: Nuclei for fast known-CVE detection plus ZAP for crawling application-level DAST.
Resources