OWASP ZAP
The open-source web app security scanner (DAST) — proxy, spider, active/passive scanning and a baseline you can CI
⚡ TL;DR
🎯 The Problem It Solves
You ship a web app and need to catch the easy wins — missing headers, reflected XSS, exposed admin panels — before an attacker does. ZAP is the free, OWASP-backed alternative to Burp Pro for dynamic testing: proxy your traffic, spider the app, and let it flag what\'s misconfigured.
🔧 How It Works
ZAP sits as a local proxy (or as a daemon/CI job). You browse through it (or feed it a URL to spider), and it passively analyzes traffic while you work. Then active scanning sends crafted requests to find vulnerabilities. It has an API, a headless \'baseline\' and \'full\' scan mode for pipelines, and a marketplace of add-ons (including an AI helper) for extra coverage.
🚀 Installation & Quick Start
Installation
Download from zaproxy.org/download\n# Available for Linux, macOS, Windows\n# Requires Java 11+\n# Docker: docker pull owasp/zap2docker-stableQuick Start
- Run it: docker run -u zap -p 8080:8080 ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon
- Or desktop: download ZAP and launch the Quick Start 'Automated Scan'
- Point it at a URL and let the spider + passive scan run
- Right-click a node -> 'Attack' -> 'Active Scan' for deeper testing
- CI mode: zap-baseline.py -t https://example.com -r report.html
✅ Pros
- •Genuinely free and OWASP-governed — no license ceiling
- •Great for CI: baseline scan as a merge gate
- •Approachable for DevSecOps, not just pentesters
- •Extensible via a large add-on ecosystem
❌ Cons
- •Not a replacement for Burp Suite Pro's scanner on hard targets
- •Proxy setup and scope config trip up first-timers
- •False positives need triage; active scans can be slow
- •Modern SPAs (heavy JS) need the AJAX spider / authenticated scans configured
💬 Practitioner Verdict
"ZAP is the right default for free, repeatable DAST — especially in CI. It won\'t replace a seasoned tester with Burp Pro on a gnarly app, but for catching the 80% of easy misconfigurations automatically, it\'s the best free option by far."
📊 Specifications
- Language
- Java
- License
- Apache-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Vulnerability Analysis
- MITRE ATT&CK
- T1190
💰 Pricing Reality
Free and open source (Apache-2.0). The ZAP project is funded by donations and orgs like Crashtest Security; no paid \'Pro\' gate on core features.