ZAP (Zed Attack Proxy) is an open-source web application scanner. It’s an OWASP flagship project that you can use to find vulnerabilities in a web application. Mozilla security expert Simon Bennetts gave a talk on ZAP’s HUD, which you can watch below.
Where Can You Use ZAP?
You can use ZAP on Windows, Linux, and Mac OS. You’ll have access to multiple docker images, and ZAP is suitable for beginners as well as security professionals who are working on vulnerability analysis.
You can run ZAP in desktop and daemon modes. You can also use it manually at any stage in development. It’s a great tool for automated testing.
A Quick Look at ZAP
Let me show you around the ZAP tool. ZAP gives you two options: automated testing and manual testing.
Automated Testing With ZAP
If you choose automated testing, you’ll see this window:
In this window, you’ll have to enter the IP address of the application that you want to scan and choose the spider. Spiders are programs that crawl through the application to collect whatever information they can.
Once you click the Attack button, ZAP will spider through the web application, exploring all the links it can find. It will not only scan for vulnerabilities but will also attack the web application. Make sure you use ZAP only on the web applications you have permission to use it on, or else it’ll be considered illegal.
Manual Testing With ZAP
When it comes to manual testing, you’ll have to provide the URL of the web application that you want to use ZAP on. But instead of using a spider, you’ll have to manually browse through the website. ZAP will do its job only on the web pages that you manually visit.