🔒SecurityRepoIndex

OWASP ZAP

The open-source web app security scanner (DAST) — proxy, spider, active/passive scanning and a baseline you can CI

4.4/ 515,391 GitHub starsJavaApache-2.0

⚡ TL;DR

What
The open-source web app security scanner (DAST) — proxy, spider, active/passive scanning and a baseline you can CI
Who
Web app pentesters, AppSec/DevSecOps teams, Security engineers in CI, SMBs without a Burp Pro license
Catch
Not a replacement for Burp Suite Pro's scanner on hard targets
Verdict
⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

You ship a web app and need to catch the easy wins — missing headers, reflected XSS, exposed admin panels — before an attacker does. ZAP is the free, OWASP-backed alternative to Burp Pro for dynamic testing: proxy your traffic, spider the app, and let it flag what\'s misconfigured.

🔧 How It Works

ZAP sits as a local proxy (or as a daemon/CI job). You browse through it (or feed it a URL to spider), and it passively analyzes traffic while you work. Then active scanning sends crafted requests to find vulnerabilities. It has an API, a headless \'baseline\' and \'full\' scan mode for pipelines, and a marketplace of add-ons (including an AI helper) for extra coverage.

🚀 Installation & Quick Start

Installation

Download from zaproxy.org/download\n# Available for Linux, macOS, Windows\n# Requires Java 11+\n# Docker: docker pull owasp/zap2docker-stable

Quick Start

  1. Run it: docker run -u zap -p 8080:8080 ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon
  2. Or desktop: download ZAP and launch the Quick Start 'Automated Scan'
  3. Point it at a URL and let the spider + passive scan run
  4. Right-click a node -> 'Attack' -> 'Active Scan' for deeper testing
  5. CI mode: zap-baseline.py -t https://example.com -r report.html

✅ Pros

  • Genuinely free and OWASP-governed — no license ceiling
  • Great for CI: baseline scan as a merge gate
  • Approachable for DevSecOps, not just pentesters
  • Extensible via a large add-on ecosystem

❌ Cons

  • Not a replacement for Burp Suite Pro's scanner on hard targets
  • Proxy setup and scope config trip up first-timers
  • False positives need triage; active scans can be slow
  • Modern SPAs (heavy JS) need the AJAX spider / authenticated scans configured

💬 Practitioner Verdict

"ZAP is the right default for free, repeatable DAST — especially in CI. It won\'t replace a seasoned tester with Burp Pro on a gnarly app, but for catching the 80% of easy misconfigurations automatically, it\'s the best free option by far."
Emmanuel, Security Reviewer

📊 Specifications

Language
Java
License
Apache-2.0
Platform
Linux, macOS, Windows
Kill Chain
Vulnerability Analysis
MITRE ATT&CK
T1190

💰 Pricing Reality

Free and open source (Apache-2.0). The ZAP project is funded by donations and orgs like Crashtest Security; no paid \'Pro\' gate on core features.

👥 Community Health

Stars15,391
Forks2,592
Contributors236
Health Score8.7/10

🏷️ Tags

Web ScanningOpen SourceFree

🔗 Similar Tools