Getting Started with OWASP ZAP: A Practical Security Scanning Guide

OWASP ZAP (Zed Attack Proxy) is the most widely used open source DAST scanner for finding vulnerabilities in running web applications. It intercepts traffic between your browser and your application, spiders every reachable page, and launches thousands of attack payloads to uncover injection flaws, broken authentication, misconfigurations, and other security issues that only surface at runtime.

Whether you are testing a staging environment manually or running automated scans in CI/CD, ZAP gives you a free, extensible toolkit that competes with commercial alternatives. This guide walks you through installation, core scanning workflows, authenticated testing, and pipeline integration.

ZAP active scans send real attack payloads. Never run an active scan against a production system you do not own or have explicit authorization to test. Active scanning can corrupt data, trigger alerts, and violate terms of service. Always scan staging or dedicated test environments.

Install ZAP

ZAP runs on Windows, macOS, and Linux. The fastest path is the Docker image:


docker pull ghcr.io/zaproxy/zaproxy:stable

Alternatively, download the installer from the official OWASP ZAP site. ZAP requires Java 17 or later. The Docker image bundles everything you need.

Spider Your Application

Before ZAP can test for vulnerabilities, it needs to discover your application's attack surface. The spider crawls links, submits forms, and maps every URL and parameter it finds.

Launch a spider scan from the command line:


docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://your-staging-app.example.com

The baseline scan runs the spider, checks for passive issues like missing security headers, and produces a report. It does not send active attack payloads, making it safe for initial reconnaissance.

Run an Active Scan

Active scanning goes further. ZAP injects SQL injection strings, XSS payloads, path traversal sequences, and other malicious inputs into every discovered parameter. It then analyzes responses for evidence of exploitable behavior.


docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://your-staging-app.example.com

Active scans take longer than baseline scans. Expect anywhere from a few minutes to several hours depending on the size of your application.

Authenticated Scanning

Unauthenticated scans only test publicly accessible pages. Most of your application lives behind login. ZAP supports authenticated scanning through recorded authentication sequences, form-based login, and header-based token injection.

Configure authentication in ZAP by defining a context with your login URL, credential parameters, and a logged-in indicator (a string that appears only when authenticated). This lets ZAP maintain a valid session while spidering and scanning protected routes.

Authenticated scans dramatically increase coverage. If you skip them, you are testing the front door while ignoring the rest of the building.

Automation Framework for CI/CD

ZAP's automation framework lets you define scan configurations as YAML files and run them in your pipeline. A typical automation plan includes environment setup, spidering, active scanning, and report generation.


env:
  contexts:
    - name: my-app
      urls:
        - https://your-staging-app.example.com
jobs:
  - type: spider
    parameters:
      maxDuration: 5
  - type: activeScan
    parameters:
      maxRuleDurationInMins: 10
  - type: report
    parameters:
      template: traditional-html

Run the plan with:


docker run -v $(pwd):/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable \
  zap.sh -cmd -autorun /zap/wrk/plan.yaml

Fail your build when ZAP finds high-severity alerts. This catches DAST-detectable vulnerabilities before they reach production.

Add Rafter to your pipeline — combine SAST and DAST coverage to catch vulnerabilities across your entire stack.

Interpreting Alerts

ZAP classifies findings by risk level: High, Medium, Low, and Informational. Each alert includes the vulnerable URL, the payload that triggered it, evidence from the response, and a CWE reference.

Focus on High and Medium alerts first. Cross-reference findings with your OWASP testing checklist to prioritize remediation. False positives are common in active scanning — verify each finding before committing engineering time.

Start scanning your repositories with Rafter — get automated SAST results alongside your ZAP findings for complete application security coverage.