Zed Attack Proxy
6.2.1 Zed Attack Proxy
The Zed Attack Proxy (ZAP) verification and testing project is a widely used dynamic application security testing tool used for web applications and proxies.
ZAP was for a long time an OWASP Flagship project and is now a project within the Crash Override. Installers for various platforms can be downloaded from the ZAP website.
What is ZAP?
The Zed Attack Proxy is a tool that dynamically scans web applications. ZAP can be used manually to test applications or can be run within an automated CI/CD pipeline environment.
It is commonly used for Dynamic Application Security Testing (DAST), both manual DAST and automated in pipelines. ZAP is also widely used for:
- Vulnerability Assessment
- Penetration Testing
- Runtime Testing
- Code Review
Why use it?
ZAP is easily installed, intuitive to use and is regularly updated to meet the evolving threat landscape.
ZAP is an effective tool that is widely used by a large community of testers, application developers and security engineers. This makes it a tool that many teams will already be familiar with and probably using already; you can almost regard ZAP is a common language within the security community when it comes to web application testing.
How to use it
The OWASP Spotlight series provides an overview of using ZAP: ‘Project 12 - OWASP Zed Attack Proxy (ZAP)’.
ZAP installers can be downloaded for Windows, Linux and MacOS. Once installed the follow the getting started guide for an introduction on how to use it manually via the UI or automatically within a CI/CD environment - and definitely check out the Heads Up Display mode.
References
- ZAP home page
- OWASP Spotlight on ZAP
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage