Are you having difficulty finding an OWASP ZAP tutorial that shows you how to use it effectively?
ZAP is an extremely powerful tool for comprehensive testing. It's often used by those who want to thoroughly examine a web application.
In this tutorial, we’ll guide you through setting it up and show you an overview of its main interface and some of its features. We’ll briefly discuss ZAP vs. Burp Suite and show you how to perform testing with ZAP.
We’ll show you how to use spidering, passive and active scanning, and give you a solid start on using ZAP. As you gain confidence, you’ll be able to discover some of its other tools.
If you’re ready to learn how to use ZAP, let’s start.
What Is ZAP?
Zed Attack Proxy (ZAP) is an open-source penetration testing tool formerly known as OWASP ZAP. It’s a versatile tool often utilized by penetration testers, bug bounty hunters, and developers to scan web apps for security risks during the web app testing process.
ZAP offers many features, such as active and passive scanning and API testing capabilities.
At its core, it’s a manipulator-in-the-middle proxy. It allows you to see all of the requests you make to a web app and all the responses you receive from it, enabling you to identify vulnerabilities and potential attack vectors in real time.
By intercepting and modifying the traffic between your browser and the web application, ZAP helps you understand how the application behaves under different scenarios and conditions.
ZAP can be installed on Windows, Linux, and macOS. Docker images are also available. We’ll show you how to install it on Kali Linux.
ZAP Open-Source Project
ZAP recently joined the Software Security Project (SSP) as one of its founding projects. Despite being free and open-sourced, ZAP has grown into the world’s most popular web scanner and directly competes with commercial projects.
We spoke with Simon Bennetts, the project's founder, who acknowledged: "We're competing with commercial companies with hundreds of full-time staff… So it's hard."
ZAP is a non-profit company run full-time by Bennetts and supported by a small team of hardworking volunteers.
Recognizing this challenge, Bennetts stated: "We're always looking for people to contribute—ZAP is a community project." This call for community participation speaks volumes about ZAP's collaborative approach. See ZAP’s contributing guide for ways to get involved.
The project relies on sponsors to raise money, and the Crash Override Open Source Fellowship supports its development; ZAP will, however, remain independent.
ZAP encourages users to join the Software Security Project (SSP) to help fund ZAP and other important open-source security projects.
ZAP by the numbers.
| Number of Times ZAP was Started | 4,708,566 |
| Number of Active Scans | 922,722 |
| Number of Alerts Raised | 1,123,926,095 |
| Number of Active Scan Messages Sent | 3,274,968,334 |
ZAP vs. Burp Suite
ZAP and Burp Suite are similar web application security testing tools. However, ZAP is faster and lighter than Burp Suite, and it’s open-source and free.
Burp Suite's free community edition can be restrictive in its functionality. It has a paid version with more advanced features, but many of these tools are already included in ZAP.
For example, Burp Suite’s automated scan feature is only available in its pro tier, whereas ZAP has this same functionality called “ATTACK Mode.”
Burp Suite has an intruder tool, although it’s limited to single-threading. ZAP has an equivalent called “Fuzzer.”
ZAP also has features not found in Burp Suite, such as an automation framework that allows you to control ZAP via one YAML file and a heads-up display (HUD). With the HUD, you can use your favorite ZAP features in the browser.
Here’s a feature map that maps Burp features to ZAP equivalents.
| Burp Suite | ZAP |
| Collaborator (Community) | OAST Support Add-on |
| Comparer | Diff |
| Decoder | Encoder |
| DOM Invader | Eval Villian Add-on |
| Extender | Marketplace, Scripts |
| Intercept | Breakpoints |
| Intruder (Throttled) | Fuzzer |
| Live scan (Community) | ATTACK Mode |
| Project Files (Community) | Session Files |
| Proxy | Proxy |
| Repeater | Manual Request Editor, Requestor Add-on |
| Scanner (Community) | Active Scanner |
| Sequencer | Token Generation and Analysis |
| Target | Contexts |
Setting Up Your Zed Attack Proxy on Kali Linux
Let’s go through the start-to-finish process of getting ZAP up and running.
Installing ZAP on Kali Linux
ZAP is not installed in the current version of Kali, which is 2024.1 at the time of this writing. However, it can be easily installed.
Before installation, always update the repositories to ensure the most up-to-date version is installed by entering sudo apt update—y.
Once finished, you can install ZAP with the command:
sudo apt install zaproxy
Setting Up Your Proxy
You don't need to set a proxy such as FoxyProxy for your browser like in Burp Suite, as ZAP handles all of this. Bennetts tells us that “it’s best to let ZAP launch them.”
The “Browser Launch” feature is automatically configured to work via ZAP and ignore certificate warnings, making it much easier to get up and running without changing settings. This lets you quickly start testing web apps for vulnerabilities without extra setup or configuration. Simply start ZAP, and you’ll be ready to go.
However, if you want to use any of your browsers with an existing profile, such as other browser add-ons installed, you must manually configure your browser to proxy via ZAP and import and trust the ZAP Root CA Certificate.
We’ll show you how to set this up on Firefox in Kali.
The first thing you need to do is download the FoxyProxy addon.
Next, open FoxyProxy so we can configure it.
From here, head to the proxies tab and enter the following information.
Title: ZAP
Type: HTTP
Hostname: 127.0.0.1
Port: 8080
Once finished, click “Save.”
Whenever you want to proxy traffic through ZAP, head to the addon and select “ZAP.”
Install ZAP Certificate
If you don't use ZAP's built-in browser function, you'll need to manually set up the certificate on your browser. If you try accessing any site running SSL/TLS while using your browser outside of ZAP, you must configure it to use ZAP's CA root certificate to avoid any certificate warnings.
ZAP recommends you launch your browser through the “Quick Start” area, but if you’d rather configure your browser manually, here’s how to install the certificate. We’re installing ours in Firefox.
First, with ZAP running and your FoxyProxy enabled to use ZAP, head to http://zap. Once there, select “Download” to download the certificate to your system.
Now, go to your Firefox search bar, type about:preferences, and press enter. This will take you to the settings page. Search for “certificates,” and find the option “View Certificates.”
The “View Certificates” button lets you see all your trusted CA certificates. You can import a new certificate for ZAP by pressing “Import” and selecting the file we downloaded.
In the popup, select “Trust this CA to identify websites,” then click OK.
Any encrypted traffic will work when the ZAP proxy is turned on, allowing us to intercept requests.
Now that everything is set up, in the following section, we’ll walk you through using some of ZAP’s features. ZAP has many tools, but we won’t be able to go over all of them here. We’ll show you a few so you can get started.
Starting ZAP
You can start ZAP in Kali in one of two ways: enter zaproxy in the terminal or open it from the applications menu under “Web Application Analysis.”
When you start ZAP, you’ll see a screen asking, “Do you want to persist this ZAP session?”
Persistence will save everything to an HSQL database that you can access to view its contents or reload back into ZAP to see all of the request history, site information, etc.
We’ll be choosing “No, I do not want to persist this session at this moment in time”
ZAP Overview
Before we start using ZAP, let’s examine the main interface and show where some of the key features are located. The interface has a lot of information, but remember, ZAP does many things.
- Menu Bar: Here, you can create and manage sessions, create reports, find tools, get help, and more.
- Toolbar: Includes buttons that provide shortcuts to the most commonly used features.
- Tree Window: Displays the hierarchical view of the site you are testing and the script tree.
- Quickstart/Workspace Window: This is a quick and easy way to use ZAP, especially if you’re new. It also displays requests, responses, and scripts you can edit.
- Information Window, including:
- History tab: This shows a log of all the HTTP requests and responses sent and received through ZAP.
- Search Tab: This allows you to search through the requests and responses.
- Alerts Tab: Displays security alerts found during the scans.
- Output Tab: Provides detailed output from various scans and processes.
- Footer: Displays ZAP status information.
- Alerts Counter: This displays a summary of the alerts found. It’s color-coded (like red, yellow, etc.) to represent the severity of the alerts found during the scanning process.
- Main Proxy: This is the main proxy configuration that ZAP uses, which is set to "localhost:8080."
- Current Scans: This section displays any currently running scans, with icons indicating their status or progress.
Update Addons
Before you begin using ZAP, you should always check for and update any addons that need to be updated. This ensures that you have the most up-to-date experience.
Press CTRL + U or use the toolbar shortcut to check for updates.
This will open the installed add-ons. Next to each add-on, you can see its version number and a brief description of its function. If a newer version of an add-on is available, you'll see “Update” to the right of the description.
You can select the ones you want to update individually, but the best way is to update everything simultaneously.
Select any add-on and “Update All” to initiate the update.
ZAP Tips
Before we begin, here are a few tips to remember when using ZAP.
Right-click everywhere and anywhere to see what options are available to you.
If you need help, you can use the thorough ZAP user guide found by pressing F1.
ZAP Spidering
The first tool we’ll show you is the standard spider in ZAP. This spider requests web pages and analyzes them for links to other pages within the same web application. This recursive process keeps going as long as new links are discovered.
The spider builds out the site tree, showing you all the pages found.
This spider is quite fast and can be used for standard apps. However, you should still consider using this spider on more modern apps in conjunction with the AJAX spider.
You can select “Spider” from the “Tools” menu or use the CTRL + ALT + S shortcut to start it.
In the following window, enter the URL of the web app you are spidering and select “Recurse.” This tells ZAP to crawl all URLs or directories from the starting URL.
Once you’re ready, select “Start Scan.”
Once the spidering is finished, you’ll see all the nodes found for the web app. The lower-right corner indicates "Nodes Added: 69," which tells us the number of new items the Spider has found and added to the Sites tree during its crawl.
ZAP AJAX Spidering
More modern apps use JavaScript, and the traditional ZAP spider doesn't really understand how to crawl these properly.
This is where the AJAX spider comes in. This spider launches a browser, clicks on things, and even fills out forms, giving you a more comprehensive web app overview. It tries to imitate a user's behavior while interacting with the application.
This spider is much slower than the standard one but works much better with today's modern apps.
To open the AJAX spider, use the “Tools” menu or the shortcut CTRL + ALT + X.
Here, you’ll set the URL of the app you want to test and the browser the spider will use. Options include Firefox, Chrome, and Safari.
You can also set advanced options. When you’re ready, select “Start Scan.”
Once the scan is finished, any nodes found will be shown in the site tree area with a red spider next to them. The AJAX spider crawled 1103 URLs compared to the standard spider's 116.
ZAP Scanning
Before we show you ZAP's scanning features, remember you should only use ZAP’s active scanning to attack an application you have explicit permission to test.
Passive Scanning
Passive scanning just involves looking at the raw requests and responses. ZAP doesn’t actually do anything; it only looks at the traffic that passes through it. It analyzes this traffic to identify potential vulnerabilities without sending any new requests.
Passive scanning is safe to use on any web application.
When you spider a site, ZAP performs a passive scan and reports any alerts in the “Alerts” tab.
We’ll look at these alerts in more detail in the next section.
Active Scanning
Active scanning attempts to find other vulnerabilities using known attacks against the selected targets. It can only find certain vulnerabilities, including XSS, SQL injection, buffer overflows, Log4Shell, and remote file inclusion.
The Active scanner cannot find logical vulnerabilities, such as broken access control.
You can set policies for your scans, although we won’t discuss that here. These policies allow you to set the threshold for the number of issues raised, and the strength options determine the number of attacks performed per parameter.
As with most tools in ZAP, you can set the options for active scanning. These include the number of hosts scanned concurrently, maximum scan duration, and whether to handle CSRF tokens.
Choose “Automated Scan” from the quick start menu to begin.
This will open up the automated scan launch screen. Here, you’ll set the URL and which spider and browser you want to use. Once you’re ready, select “Attack” to begin.
Once the scan is finished, you can find all the alerts raised by ZAP in the “Alerts” tab.
As you can see from the above screenshot, ZAP found 28 vulnerabilities organized by severity: high (red), medium (orange), low (yellow), and informational (blue).
ZAP shows you the number of vulnerabilities it has found. Let’s look closer at the SQL injection. Select the arrow next to it to see where the issue was found in the application. Then, select the URL to see detailed information about the alert.
ZAP provides quite a bit of information. On the right panel, you’ll see the URL where the alert was found and its risk and confidence level. You’ll also see a CWE and WASC ID from common software security vulnerability lists. Each vulnerability has its own ID number.
Next, you’ll see a description of the alert and how ZAP confirmed this alert. It notes the attack method used ("AND 1=1 --"). You’ll need to verify this to see if the vulnerability actually exists.
It also suggests a potential solution: do not trust client-side input and use server-side validation, such as prepared statements, to mitigate the risk.
Conclusion
In this ZAP tutorial, we’ve shown you how to get started with this powerful tool. We’ve given you an overview of some of its more popular features and showed you how to get started testing web applications.
You should be well on your way to exploring more of ZAP's many capabilities. Remember to regularly update ZAP to access the latest features and add-ons. Keep practicing and experimenting with different settings to fully utilize the tool's capabilities.
If you want to learn more about web app testing or cyber security in general, consider joining the StationX Accelerator program. We offer you over 1000 courses and labs to practice your skills and provide career roadmaps, mentors, and mastermind groups to take you further.
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!
