Skip to content

OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is an open-source web application proxy and scanner.

Installation

# Download from https://www.zaproxy.org/download/

# Kali Linux
zap

Quick Start

# Start ZAP
zap.sh

# Headless daemon
zap.sh -daemon -port 8080

Common Tasks

Proxying Traffic

Proxy host: 127.0.0.1
Proxy port: 8080

Spidering

zap.sh -cmd -quickurl "https://target.com" -quickprogress

Active Scan

zap.sh -cmd -quickurl "https://target.com" -quickout zap-report.html

Scenarios

# Quick scan a staging site and save report
zap.sh -cmd -quickurl "https://staging.target.com" -quickout zap-report.html

# Passive scan a local dev server
zap.sh -daemon -port 8080

# Scan an authenticated app using a context file
zap.sh -cmd -quickurl "https://target.com" -quickprogress -configfile zap.context

Useful Add-ons

  • Passive scan rules
  • Active scan rules
  • Authentication and session management helpers