OWASP ZAP Tutorial: Free Vulnerability Scanner Download, Installation, and Report Guide

TL;DR

• OWASP ZAP (Zed Attack Proxy) is a free open-source website vulnerability scanner
• Supports Windows, macOS, Linux, and Docker deployment
• Provides passive scanning, active scanning, Spider crawler, and Fuzzer features
• Can output HTML, XML, JSON format reports
• Can integrate into CI/CD Pipeline for automated security testing

---

What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is the world's most popular free website vulnerability scanning tool. Maintained by the OWASP community, it's specifically designed to find web security vulnerabilities.

ZAP's full name is Zed Attack Proxy. It acts as a "man-in-the-middle proxy." When you browse websites, all traffic passes through ZAP. This allows ZAP to analyze every HTTP request and response, finding potential security issues.

To learn more about the OWASP organization and other security projects, refer to the OWASP Complete Guide.

Who Needs to Learn OWASP ZAP?

ZAP is suitable for these users:

• Security Engineers: Automated scanning before penetration testing
• Developers: Testing code before deployment
• QA Testers: Including security testing in test processes
• DevOps Engineers: Building automated security scanning pipelines

ZAP vs Burp Suite: Which to Choose?

The two most commonly compared tools are ZAP and Burp Suite.

Comparison	OWASP ZAP	Burp Suite
Price	Completely free	Free version limited, Pro $449/year
Open Source	Yes	No
Auto Scanning	Free	Pro version only
API Scanning	Supported	Supported
CI/CD Integration	Native support	Pro version only
Community Support	Active	Active
Learning Curve	Medium	Medium-high

Recommendation: Budget limited or just starting—choose ZAP. Need more advanced manual testing features—consider Burp Suite Pro.

What Can ZAP Do? What Can't It Do?

What ZAP Can Do:

• Automatically find common vulnerabilities like XSS, SQL Injection
• Analyze website structure and all endpoints
• Record and replay HTTP requests
• Fuzzing
• Generate professional scan reports

ZAP Limitations:

• Cannot find business logic vulnerabilities
• Weaker support for JavaScript-heavy SPA websites
• Requires manual false positive judgment
• Cannot completely replace manual penetration testing

---

Installation and Setup

ZAP supports multiple installation methods. Choose what fits your environment best.

Windows Installation

1. Go to ZAP official download page
2. Download Windows Installer (.exe file)
3. Run installer, follow prompts to complete installation
4. After installation, launch ZAP from Start menu

System Requirements:

• Windows 10 or newer
• Java 11 or newer (installer handles this automatically)
• At least 4GB RAM (8GB recommended)

macOS Installation

Method 1: Using DMG Installer

1. Download macOS DMG file
2. Open DMG, drag ZAP to Applications folder
3. First launch: hold Control, click, and select "Open"

Method 2: Using Homebrew

brew install --cask zap

Linux Installation

Debian/Ubuntu:

# Download .deb package
wget https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2_15_0_unix.sh

# Run installation
chmod +x ZAP_2_15_0_unix.sh
./ZAP_2_15_0_unix.sh

Using Snap:

sudo snap install zaproxy --classic

Docker Deployment (Recommended)

Docker is the cleanest deployment method. No system dependency concerns.

# Pull latest image
docker pull zaproxy/zap-stable

# Run ZAP
docker run -u zap -p 8080:8080 -p 8090:8090 -i zaproxy/zap-stable zap-webswing.sh

After running, open browser to http://localhost:8080/zap/ to use the web interface.

Headless Mode (for CI/CD):

docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-baseline.py \
  -t https://example.com \
  -r report.html

---

ZAP Feature Details

ZAP provides four main scanning features. Understanding their differences lets you use them effectively.

Passive Scan

Passive scanning is the safest scanning method. It only analyzes traffic passing through ZAP without sending additional requests.

Passive Scan Can Find:

• Missing security headers (like X-Frame-Options, CSP)
• Cookie setting issues (missing HttpOnly, Secure flags)
• Sensitive information leakage (like error messages, version info)
• Insecure content loading (Mixed Content)

Usage:

1. Configure browser Proxy to point to ZAP (default localhost:8080)
2. Browse target website normally
3. ZAP automatically analyzes all traffic
4. Check "Alerts" tab to view found issues

Passive scanning is zero-risk. Can be used on any website, including production.

Active Scan

Active scanning actually sends attack packets to test websites. This is the most effective way to find vulnerabilities, but carries risk.

Active Scan Can Find:

• SQL Injection
• Cross-Site Scripting (XSS)
• Path Traversal
• Remote File Inclusion
• Command Injection
• Other OWASP Top 10 vulnerabilities

Usage:

1. First use Spider or manual browsing to collect website structure
2. In Sites tree, right-click target
3. Select "Attack" → "Active Scan"
4. Configure scan policy, click "Start Scan"

Warning: Active scanning may increase system load, generate large logs, or even affect system stability. Only use on websites you have permission to test.

Spider Crawler

Spider automatically explores all links and pages on a website. This is a necessary step before scanning.

Spider Features:

• Automatically discover all accessible URLs
• Find hidden directories and files
• Identify forms and parameters
• Build complete site map

Traditional Spider vs AJAX Spider:

Type	Use Case	Characteristics
Traditional Spider	Traditional websites, static pages	Fast, low resource consumption
AJAX Spider	SPA, JavaScript-heavy websites	Simulates browser, slower but more complete

Using AJAX Spider:

Right-click target URL → Attack → AJAX Spider

For React, Vue, Angular and other modern frontend framework sites, recommend running both Spiders.

Fuzzer

Fuzzer is an advanced feature. It sends large amounts of malformed input to specific parameters to test system handling capability.

Fuzzer Use Cases:

• Test input validation strength
• Find buffer overflows
• Test API parameter boundaries
• Bypass authentication

Usage:

1. Find target request in History
2. Right-click, select "Attack" → "Fuzz"
3. Select parameter position to test
4. Choose Payload list (ZAP has many built-in)
5. Start Fuzzing

---

Hands-On Tutorial

Theory done. Now hands-on.

Scanning Local Development Environment

This is the safest practice method. Scan your own development environment.

Steps:

1. Start your local development server

   # Example Node.js project
   npm run dev
   # Assume running at http://localhost:3000
   

2. Start ZAP and configure Proxy

   • Open ZAP
   • Default Proxy at localhost:8080

3. Configure browser to use ZAP Proxy

   • Firefox recommended (built-in Proxy settings)
   • Or install FoxyProxy extension
   • Set HTTP Proxy to 127.0.0.1:8080

4. Browse target website

   • Visit http://localhost:3000 with configured browser
   • Click all links, fill all forms
   • ZAP records all requests

5. Run Active Scan

   • Find localhost:3000 in Sites panel
   • Right-click → "Attack" → "Active Scan"
   • Wait for scan completion

6. Review Results

   • Switch to "Alerts" tab
   • Sort by severity

Scanning OWASP Juice Shop

Juice Shop is OWASP's official vulnerability practice platform. Excellent for learning.

For detailed Juice Shop walkthrough, refer to OWASP Juice Shop Tutorial.

Quick Juice Shop Setup:

docker run -d -p 3000:3000 bkimminich/juice-shop

Open browser to http://localhost:3000, you'll see a juice shop website.

ZAP Scanning Juice Shop:

1. Enter target URL in ZAP: http://localhost:3000
2. Run Spider to collect all pages
3. Run Active Scan
4. Review discovered vulnerabilities

Juice Shop intentionally has over 100 vulnerabilities. ZAP can find most auto-detectable issues.

Production Website Scanning Notes

Before scanning production websites, note the following:

Legal Responsibility:

• Only scan websites you have authorization for
• Getting written permission is safest
• Unauthorized scanning may be illegal

Technical Considerations:

• Avoid peak business hours
• Lower scan intensity (Scan Policy)
• Monitor target system load
• Be ready to stop scanning anytime

Best Practices:

• Verify in test environment first
• Notify relevant IT personnel
• Keep scan records
• Exclude sensitive features (like payment, deletion)

---

Report Output and Interpretation

After scanning completes, generating reports is an important step.

Report Format Selection

ZAP supports multiple report formats:

Format	Use Case	Features
HTML	Human-readable reports	Beautiful, easy to read, browser-viewable
XML	System integration	Structured data, suitable for programmatic processing
JSON	API integration	Modern format, easy to parse
Markdown	Document integration	Can be embedded in other documents

Generate Report:

1. Menu: "Report" → "Generate Report"
2. Select report format
3. Select content to include (alert levels, detail level)
4. Specify output path
5. Click "Generate"

Report Content Interpretation

A ZAP report typically contains these sections:

1. Summary

• Scan target URL
• Scan time
• Number of alerts found (categorized by level)

2. Alert Details

Each alert contains:

• Name: Vulnerability type (like SQL Injection)
• Risk Level: High / Medium / Low / Informational
• Confidence: High / Medium / Low
• Description: Vulnerability explanation
• URL: Where the issue was found
• Parameter: Affected parameter
• Attack: Test payload ZAP used
• Evidence: Abnormal content in system response
• Solution: Fix recommendations
• References: Related CWE, OWASP links

3. Prioritize by Risk Level

Recommended handling order:

1. High: Fix immediately, can be exploited right away
2. Medium: Fix soon, has some risk
3. Low: Evaluate whether to fix
4. Informational: FYI, usually suggestions

False Positive Identification Tips

ZAP isn't perfect. It produces false positives.

Common False Positive Situations:

• CSRF Token misjudgment: ZAP may incorrectly flag inadequate token protection
• SQL Injection false positive: Response happens to have similar error messages
• XSS false positive: Output has special characters but properly encoded

Verification Methods:

1. Manual verification: Try reproducing ZAP's attack
2. Check evidence: See if "Evidence" field is reasonable
3. Compare source code: Confirm handling logic at that location
4. Adjust confidence threshold: Low Confidence alerts prioritized for review

Record False Positives: In ZAP, confirmed false positives can be marked as "False Positive" to avoid repeated reports.

---

CI/CD Integration

Integrating security scanning into CI/CD Pipeline is a core DevSecOps practice.

ZAP CLI Tools

ZAP provides three automated scanning scripts:

Script	Purpose	Scan Intensity
zap-baseline.py	Quick baseline scan	Primarily passive scanning
zap-full-scan.py	Complete scan	Passive + Active scanning
zap-api-scan.py	API scan	For OpenAPI/SOAP

GitHub Actions Integration

Create .github/workflows/zap-scan.yml in your project:

name: ZAP Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * 0'  # Run every Sunday

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: ZAP Baseline Scan
        uses: zaproxy/[email protected]
        with:
          target: 'https://your-staging-site.com'
          rules_file_name: '.zap/rules.tsv'

      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: zap-report
          path: report_html.html

Configure Ignore Rules (.zap/rules.tsv):

10015	IGNORE	(Incomplete or No Cache-control)
10021	IGNORE	(X-Content-Type-Options Header Missing)

GitLab CI Integration

Add to .gitlab-ci.yml:

zap-scan:
  stage: security
  image: zaproxy/zap-stable
  script:
    - mkdir -p /zap/wrk
    - zap-baseline.py -t $STAGING_URL -r report.html
  artifacts:
    paths:
      - report.html
    expire_in: 1 week
  only:
    - merge_requests
    - main

Jenkins Integration

Using Official ZAP Jenkins Plugin:

1. Install "Official OWASP ZAP" Plugin
2. Add to Pipeline script:

pipeline {
    agent any
    stages {
        stage('Security Scan') {
            steps {
                script {
                    startZap(host: 'localhost', port: 8090)
                    runZapCrawler(host: 'https://your-app.com')
                    runZapAttack(host: 'https://your-app.com')
                    archiveZap()
                }
            }
        }
    }
}

---

Advanced Configuration

After mastering basics, these advanced features improve scanning effectiveness.

Custom Scan Rules

ZAP has hundreds of built-in scan rules. You can adjust based on needs.

Adjust Scan Policy:

1. "Analyze" → "Scan Policy Manager"
2. Select or create a Policy
3. For each rule, set:
   • Threshold: Alert trigger threshold (Off / Low / Medium / High)
   • Strength: Test intensity (affects scan speed)

Common Adjustment Recommendations:

• For API projects, disable XSS-related rules
• For internal systems, can increase scan intensity
• For production environments, reduce DOS-related tests

Authentication Scan Configuration

Many websites require login to see full functionality. ZAP supports multiple authentication methods.

Form-Based Authentication:

1. "Right-click target URL" → "Include in Context" → "New Context"
2. In Context, select "Authentication"
3. Select "Form-Based Authentication"
4. Configure login URL and form parameters
5. Set logout indicator (Logged-out indicator)

Session Management:

• Cookie-based Session
• HTTP Authentication
• JSON Web Token (JWT)

Configure Login User:

1. In Context's "Users" section
2. Add user and corresponding credentials
3. Select "Forced User Mode" to force specific identity

API Scanning

API scanning requires different methods.

Import API Definition:

ZAP supports importing:

• OpenAPI / Swagger (JSON/YAML)
• SOAP WSDL
• GraphQL Schema

Import Method:

1. "Import" → "Import an OpenAPI definition"
2. Select local file or enter URL
3. ZAP automatically creates all endpoints

API Scanning Best Practices:

• Use zap-api-scan.py for automation
• Provide correct authentication headers
• Consider Rate Limiting, adjust scan speed
• For GraphQL, note Introspection queries

For more API security knowledge, refer to OWASP API Top 10.

---

FAQ

Q1: Is OWASP ZAP Free?

Completely free. ZAP is an open-source project maintained by the OWASP community. Whether for personal use, commercial use, or integration into products, no payment required. Source code is public on GitHub, anyone can contribute.

Q2: Is Scanning Other People's Websites Legal?

Unauthorized scanning may be illegal. Even "well-intentioned" security testing, without website owner's written authorization, is illegal in many countries. Recommendations:

• Only scan your own websites or authorized targets
• Use Juice Shop, WebGoat and other practice platforms for learning
• In enterprise environments, obtain formal test authorization documents

Q3: Can ZAP Find All Vulnerabilities?

No. ZAP is an automated tool with limitations:

• Business logic vulnerabilities (like permission bypasses) require manual testing
• Some complex vulnerabilities need specific contexts to trigger
• JavaScript-heavy websites may not be fully crawled
• False positives and false negatives occur

ZAP should be a starting point for security testing, not the endpoint. Combine with manual penetration testing for more complete security assessment.

---

Conclusion

OWASP ZAP is an essential tool for security engineers. Free, open-source, powerful. To practice further, try OWASP Mobile and IoT Security for mobile device testing techniques.

Key Takeaways:

1. Easy Installation: Multi-platform support, Docker deployment most convenient
2. Four Main Features: Passive scanning, Active scanning, Spider, Fuzzer
3. Professional Reports: Multi-format output for different purposes
4. CI/CD Friendly: Native automation integration support

Learning ZAP enables you to:

• Find security issues during development
• Build automated security scanning processes
• Generate professional security assessment reports

Next Step Recommendations:

• Practice with Juice Shop
• Try integrating ZAP into your CI/CD
• Learn report interpretation and false positive identification