ZAP (software)
OWASP ZAP (Zed Attack Proxy) is a free, open-source penetration testing tool specifically designed for identifying security vulnerabilities in web applications through automated and manual scanning.[1][2] Developed as a fork of the Paros Proxy in 2009, ZAP was officially named and released in its initial version in 2010 by the OWASP Foundation, evolving from early concepts like "The Pentest" to become a community-driven project.[3][4] It operates primarily as a man-in-the-middle proxy, intercepting and inspecting HTTP messages between a browser and web server to allow for real-time analysis, modification, and replay of traffic.[1] This core functionality enables both passive scanning—where ZAP monitors traffic without active interference—and active scanning, which proactively tests for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure configurations.[1][5] ZAP supports cross-platform deployment on Windows, Linux, and macOS, as well as containerized environments like Docker, making it accessible for developers, security professionals, and penetration testers.[1] Key features include an intuitive desktop user interface with tabs for history, sites, alerts, and fuzzing; an extensible add-on marketplace for custom scripts and integrations; and automation capabilities via APIs for continuous integration in DevSecOps pipelines.[1][6] The tool also offers a Heads Up Display (HUD) mode for in-browser testing and supports scripting in languages like JavaScript and Zest for advanced customization.[1] As one of the most widely used open-source dynamic application security testing (DAST) tools, ZAP is actively maintained by an international development team with support from sponsors like Checkmarx, ensuring regular updates and a robust ecosystem for vulnerability detection in modern web environments.[7][3] Its integration into OWASP projects underscores its role in promoting secure software development practices globally.[2]Overview
Purpose and Functionality
OWASP ZAP (Zed Attack Proxy) is an open-source dynamic application security testing (DAST) tool designed to identify vulnerabilities in web applications during development and testing phases.[8][2] It functions as an integrated penetration testing platform, enabling users to detect security issues such as SQL injection, cross-site scripting (XSS), and broken authentication mechanisms.[8][2] The core purpose of ZAP is to assist penetration testers, developers, and functional testers in proactively uncovering web application weaknesses through a combination of automated scanning and manual exploration techniques.[8] As an OWASP Flagship Project, it emphasizes accessibility for users across skill levels, from those new to security testing to experienced professionals.[8][2] At a high level, ZAP operates by acting as a proxy between the user's browser and the target web application, capturing HTTP/HTTPS traffic to map the application's structure and identify potential entry points for attacks.[1] This workflow proceeds with automated scans to probe for vulnerabilities, followed by the generation of detailed reports highlighting risks and remediation suggestions.[8] ZAP's design prioritizes ease of use, allowing novices to leverage out-of-the-box automated scans while providing experts with flexible manual tools for in-depth investigation.[8][2]Licensing and Platform Support
ZAP is released under the Apache License 2.0, a permissive open-source license that allows users to freely use, modify, and distribute the software for both commercial and non-commercial purposes, provided that the copyright notice and permission notice are included in all copies or substantial portions of the software. This licensing model promotes widespread adoption and community involvement without restrictive requirements.[9] Originally developed and maintained under the OWASP Foundation since its first release in 2010, ZAP transitioned to an independent open-source project in September 2023 to better secure funding for ongoing development.[10][11] In 2024, the project partnered with Checkmarx, with three core team members joining the company, leading to its branding as "ZAP by Checkmarx" while remaining open-source and community-driven.[11][12] Contributions from a global developer community continue to shape its evolution through the project's GitHub repository.[13] As a cross-platform Java application, ZAP supports Windows, macOS, and Linux operating systems, with compatibility extending to resource-constrained environments like the Raspberry Pi.[14] It requires Java 17 or higher to run and is also available via Docker containers for containerized deployments.[15][16] Distribution occurs through multiple channels, including official installers and packages downloadable from the ZAP website, which link to GitHub releases for the latest versions.[15] The source code is hosted on GitHub at github.com/zaproxy/zaproxy, enabling direct access for building and customization.[13] Additionally, ZAP is accessible via various package managers, such as Homebrew for macOS (brew install --cask zap), Flathub and Snapcraft for Linux, and Winget or Scoop for Windows.[15]
The core ZAP tool is provided at no cost, emphasizing its accessibility as a free security testing resource.[7] Optional commercial extensions and services, including enhanced support and integrations, are available through partners like Checkmarx, which incorporates ZAP into its broader application security offerings.[17][18]
History and Development
Origins and Early Development
OWASP ZAP, or Zed Attack Proxy, was created in 2010 by Simon Bennetts as a fork of the Paros proxy tool, which had become neglected despite its earlier popularity in web application security testing.[19] Bennetts aimed to revive and enhance the codebase to provide a more maintainable, open-source option for intercepting and analyzing web traffic, addressing the limitations of outdated tools in the growing field of application security.[20] The initial motivation stemmed from the need for an accessible, community-driven web vulnerability scanner that could serve the OWASP community without the complexity or cost of commercial alternatives like Burp Suite.[21] Bennetts, serving as the lead developer, emphasized a graphical user interface (GUI) to make the tool approachable for non-experts, including developers and security testers new to penetration testing workflows.[22] Early development focused on core proxy functionality and basic active scanning capabilities, positioning ZAP as a practical entry point for identifying common web vulnerabilities like injection flaws and cross-site scripting.[19] The first public release, version 1.0, occurred on September 6, 2010, marking ZAP's debut as an independent project before its formal acceptance into OWASP later that December.[23] This timing coincided with another Paros fork called Andiparos, but ZAP differentiated itself through its Apache License 2.0 and developer-oriented features, quickly attracting contributors like Axel Neumann.[20] The release gained rapid traction within the security community, with Bennetts demonstrating it at conferences such as Black Hat, where it was highlighted for its ease of use and extensibility.[19] Following its adoption as an official OWASP project, ZAP's early evolution laid the groundwork for broader community involvement under the organization's umbrella.[23]Major Milestones and Releases
In 2011, ZAP version 1.3.0 introduced active and passive scanning modes, along with fuzzing capabilities, a new API for automation, full internationalization, and Beanshell integration, marking a significant expansion in its security testing functionalities. These enhancements enabled more robust vulnerability detection and laid the groundwork for programmatic integration. By 2013, version 2.0.0 launched the add-on marketplace, facilitating community-contributed extensions, while adding support for the Ajax spider, WebSockets, and a quick start tab to streamline user workflows.[24] Later in 2013, version 2.2.0 further advanced automation through enhanced scripting with Zest and Plug-n-Hack support, allowing for more dynamic and customizable testing scenarios. In 2014, version 2.3.0 revamped authentication handling to support complex scenarios and non-standard applications.[25] Version 2.4.0, released in June 2015, introduced attack mode, advanced fuzzing, and refined scan options, enhancing penetration testing efficiency.[26] From 2016 to 2020, ZAP continued to evolve with key usability improvements. A major milestone came in 2019 with version 2.8.0, which debuted the Heads-Up Display (HUD) for in-browser testing, bringing ZAP's tools directly into the web environment for easier exploration and scanning.[27] The project's 10th anniversary in 2020 was celebrated with version 2.10.0, a bug fix and enhancement release that required Java 8 minimum and emphasized stability for broader adoption.[28] Recent releases have focused on integration and performance. Version 2.14.0 in October 2023 provided bug fixes and enhancements supporting CI/CD pipeline automation through the existing framework, enabling seamless security scans in development workflows.[29] In May 2024, version 2.15.0 introduced scripts as first-class scan rules, restructured desktop menus, and a new log level command-line option, improving customization and automation flexibility.[30] Version 2.16.0, released in January 2025, shifted the minimum Java requirement to 17, added a Client Spider for modern applications, detachable tabs, standard scan policies, and site tree export for differential analysis, with further API security enhancements and performance optimizations. A bug fix follow-up, 2.16.1 in March 2025, included API support for pluggable authentication and Windows native decorations.[31] In August 2023, the ZAP team announced its transition from the OWASP Foundation to the Software Security Project (SSP) effective September 2023, to secure sustainable funding while maintaining its open-source nature.[32] This was followed in September 2024 by a partnership with Checkmarx, which sponsored core maintenance and employed the project leads to ensure ongoing development.[12] ZAP's growth has been driven by a vibrant community, with the project achieving Top 1000 status on GitHub by 2020, reflecting millions of annual downloads.[13]Core Features
Intercepting Proxy
ZAP's intercepting proxy serves as a man-in-the-middle (MITM) tool that captures and analyzes HTTP and HTTPS traffic between a client's browser or application and the target web server, enabling security testers to inspect and manipulate communications in real-time.[33] This functionality is foundational for manual penetration testing, allowing users to observe all requests and responses, including dynamic AJAX interactions, without altering the underlying application flow unless explicitly modified.[33] To configure the proxy, users set their browser or application's proxy settings to route traffic through ZAP's default endpoint at localhost:8080, which can be adjusted via the Options > Network menu.[34] For HTTPS interception, ZAP automatically generates a unique root CA certificate (2048-bit RSA with SHA-1 signature, valid for one year) on first use and dynamically creates site-specific sub-certificates for each secure connection, enabling decryption while maintaining the illusion of a trusted server to the client.[35] Testers must then install this root CA as a trusted authority in their browser—such as importing the .cer file into Firefox's Certificate Authorities or adding it to Windows' Trusted Root Certification Authorities store—to avoid certificate warnings and ensure seamless MITM proxying.[35] Key operations within the proxy include viewing raw request and response data in dedicated tabs, editing payloads to test for vulnerabilities like injection flaws, and setting breakpoints to pause traffic for on-the-fly modifications before forwarding.[36] Breakpoints can be applied globally to all requests/responses or selectively to specific URLs, sites, or patterns via the toolbar or right-click menus in the History or Sites tabs, facilitating precise control during testing.[36] Additionally, users can replay intercepted requests directly from the history, repeating them against the target to verify behaviors or chain attacks.[36] A distinctive aspect of ZAP's proxy is its integration of passive scanning, which automatically analyzes proxied messages for low-risk vulnerabilities—such as outdated headers or exposed information—without sending additional probes or disrupting the session.[37] This background process runs on all HTTP and WebSocket traffic routed through the proxy, providing immediate alerts in the Alerts tab while keeping the testing workflow non-intrusive.[37] The proxy integrates seamlessly with any standard browser or application supporting proxy configuration, including support for WebSocket connections via the WebSockets add-on, which intercepts bidirectional traffic post-HTTP handshake for inspection and manipulation.[38] It also handles traffic from modern web technologies, such as API calls, as part of its comprehensive HTTP/HTTPS proxying capabilities.[33]Automated Scanning
ZAP's automated scanning capabilities encompass two distinct modes: passive scanning and active scanning, enabling comprehensive vulnerability detection without requiring manual intervention for each test. Passive scanning operates by analyzing all HTTP and WebSocket messages that pass through ZAP's proxy, identifying potential issues such as missing or invalid security headers like X-Frame-Options or Content-Security-Policy frame-ancestors directives. This mode includes 73 built-in rules that flag informational discrepancies, application errors, and other passive indicators of misconfiguration or weakness in responses.[39][37] In contrast, active scanning proactively probes targets by injecting crafted payloads to simulate attacks, testing for exploitable vulnerabilities such as SQL injection, cross-site scripting (XSS), and path traversal. It features 62 built-in rules, many of which directly address risks from the OWASP Top 10, including injection flaws and broken access control. These rules are customizable through scan policies, where users can adjust thresholds—low, medium, or high—to control aggressiveness, such as limiting certain checks (e.g., HTTP PUT methods in XSS rules) at higher thresholds to balance thoroughness and performance. The scanning process begins with spidering, ZAP's automated crawler that maps the application's URL structure from the Sites tree—including the traditional Spider, the AJAX Spider for dynamic content, and the Client Spider (introduced in ZAP 2.16.0 in January 2025) for enhanced crawling of JavaScript-heavy applications using browser extensions—followed by targeted scans on discovered endpoints; it supports authenticated testing via contexts that manage user sessions and scope scans to specific applications, thereby reducing irrelevant alerts and false positives.[40][41][42][43][44] Upon completion, scans generate detailed reports in HTML or XML formats, categorizing alerts by risk levels (high, medium, low, or informational) and confidence scores (high, medium, or low), with each alert providing remediation guidance such as specific coding practices or configuration fixes. ZAP's rules are housed in community-maintained add-ons, allowing frequent updates to incorporate new threats and refinements that further minimize false positives through improved context awareness and rule logic.[45][46][47]Advanced Capabilities
Fuzzing and Scripting
ZAP's Fuzzer tool enables users to perform targeted fuzz testing by generating and sending variable payloads to web application inputs, such as form fields or API parameters, to detect crashes, anomalies, or security flaws like injection vulnerabilities.[48] Users initiate fuzzing by right-clicking on a captured request in the Sites or History tab, selecting a location to fuzz (e.g., a parameter value), and adding payloads from built-in lists, add-on files, or custom generators.[48] This process supports payloads sourced from external files, such as fuzz databases, or dynamically created via scripts, allowing for flexible testing of inputs against unexpected or malformed data.[49] The tool includes processors to refine fuzzing: payload processors modify individual payloads before transmission, location processors adjust the fuzzing site across requests, and message processors alter entire HTTP messages or control execution flow.[50] Results are displayed in a dedicated Fuzzer tab, where users manually review responses for indicators of vulnerabilities, such as error messages or behavioral changes, with options to follow redirects and search for specific strings.[51] ZAP tracks fuzzing outcomes through result entries that include response details, enabling identification of anomalies like unusual error rates or deviations in response patterns, though effectiveness depends on manual payload tuning to avoid false positives or exhaustive resource use.[52] Complementing fuzzing, ZAP's scripting engine allows customization of security assessments through embeddable scripts that access internal data structures and extend core functionality.[53] It supports languages compliant with JSR 223, including JavaScript (via GraalVM), Python, Ruby, and the Zest domain-specific language, which uses a JSON-based format for graphical editing and recording.[53][54] Zest scripts, originally developed by Mozilla for web security tools, facilitate recording of interactions via ZAP's toolbar or browser extensions, supporting stand-alone scripts and authentication types like TOTP handling.[55] Script types include active and passive scanner rules for custom vulnerability detection, HTTP sender scripts for intercepting and modifying traffic, proxy scripts for inline request/response alterations, and extender scripts for adding GUI elements or API endpoints.[53] Common use cases involve automating multi-step attacks, such as chaining authentication sequences with payload injections, or integrating with external tools via stand-alone or targeted scripts run against specific URLs.[56] For instance, authentication scripts manage session handling in complex environments, while targeted scripts enable replay of fuzz-like attacks with scripted variations.[53] While powerful for tailored testing, both fuzzing and scripting are resource-intensive, particularly with large payload sets or complex scripts, requiring users to configure options like thread counts and timeouts to balance thoroughness and performance.[57] Scripts execute under ZAP's permissions, necessitating caution against untrusted code, and Zest's recording is limited to stand-alone types, with other scripts built manually or via templates.[55]API and Automation Integration
ZAP provides a comprehensive RESTful API that enables programmatic interaction with its scanning and analysis capabilities, allowing integration into automated workflows beyond the graphical user interface. The API supports JSON, HTML, and XML formats and is accessible via HTTP requests, typically on the default port 8080 at localhost, with access restricted to the local machine unless configured otherwise. Key functionalities include managing sessions through endpoints like/JSON/core/action/newSession for creating new sessions, /JSON/core/action/loadSession for importing existing ones, and /JSON/core/action/saveSession for exporting sessions. Additionally, report generation is facilitated by endpoints such as /JSON/core/other/htmlreport for HTML outputs, /JSON/core/other/jsonreport for JSON alerts, and /JSON/core/other/xmlreport for XML formats, enabling automated extraction of scan results.[58][59]
Central to automation is the site's mapping and scanning endpoints, which allow for dynamic exploration and vulnerability assessment. For instance, /JSON/core/view/urls retrieves a list of discovered URLs, providing a site map for further analysis, while /JSON/ascan/action/scan initiates active scans on specified URLs or contexts, with parameters for recursion, scope limitation, and policy selection to control the scan's depth and focus. These endpoints support JSON-based authentication and can be invoked with query parameters or POST requests, making them suitable for scripting in languages like Python or Java via official client libraries. The API's structure, organized into components like core for general operations and ascan for active scanning, ensures modular access to ZAP's features.[59][58]
Complementing the API is ZAP's Automation Framework, which uses YAML-based configuration files to define headless execution plans for scans, including spidering, active scanning, and report generation. These plans can be generated automatically via command-line options like -autogenmin for minimal setups or -autogenmax for comprehensive ones, and executed in non-interactive mode using -cmd -autorun <plan.yaml>, allowing ZAP to run without the desktop UI and exit with configurable status codes for pipeline integration. The framework supports Docker environments through official images, facilitating deployment in CI/CD pipelines such as Jenkins—where scripts invoke ZAP commands—or GitHub Actions, where YAML plans trigger baseline or full scans on code changes. This enables automated security testing in DevSecOps practices, such as running lightweight baseline scans during pull requests to detect regressions early.[60][16]
A notable capability for API-focused security is the support for importing OpenAPI (Swagger) definitions, introduced in version 2.9 in 2018, which allows ZAP to spider and scan RESTful APIs defined in versions 1.2, 2.0, and 3.0 formats. Users can import definitions via file or URL using actions like openapi.action.importFile or openapi.action.importUrl, generating structural nodes for endpoints and parameters to enable targeted fuzzing and vulnerability detection in API-specific contexts. This integration enhances automation for modern microservices architectures, where API endpoints are proactively explored and tested within the same YAML plans or API calls. Scripting within ZAP provides a complementary method for custom in-tool automation, but the API and framework emphasize external pipeline orchestration.[61][62]