OWASP ZAP: Open Source App Security Testing

ZAP Overview: Open Source Application Security Testing

OWASP Zed Attack Proxy (ZAP) (sometimes referred to as Zed Attack Proxy or OWASP ZAP) is an open-source application security testing tool among software developers, enterprise security teams, and penetration testers alike. ZAP was founded in 2010 by Simon Bennetts. Since then, ZAP has grown to become one of the most popular free security tools, an industry standard, and the most widely used application security scanner.

This post provides an in-depth overview of ZAP, covering the following topics:

• What is ZAP?
• How it Works
• Use Cases for ZAP
• How to Get Started
• Alternatives to ZAP

What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is a popular free security tool designed to help identify security vulnerabilities in web applications. Actively maintained by an international team of volunteers, OWASP ZAP is widely used by developers, functional testers, and experienced penetration testers. This integrated penetration testing tool can automatically find security vulnerabilities in web applications, making it an essential resource for anyone involved in web app security. Additionally, OWASP ZAP supports manual security testing, allowing users to perform in-depth analysis and testing of their applications.

Specifically, ZAP is a dynamic application security testing tool, which means that it runs active tests against the running application. These tests identify potential security vulnerabilities within the application and APIs, equipping engineers with the information to fix any issues found.

One thing that sets ZAP apart from other web application security testing tools is its ability to be automated. While it is still frequently used by penetration testers or individuals running manual security tests, ZAP’s automation via API has allowed it to be used at scale within engineering teams such as Facebook, Intuit, and more.

Key Features of OWASP ZAP

OWASP ZAP boasts several key features that make it a powerful tool for web application security testing:

• Scan Policy Management: OWASP ZAP allows users to create and manage scan policies tailored to the specific requirements of each application. This feature enables penetration testers to optimize the scanner according to the target application’s capabilities, ensuring thorough and efficient testing.
• ZAP Spidering: The traditional ZAP spider is a core feature that crawls web applications to identify potential vulnerabilities. This spider can be configured to target specific parts of the application and can be used in conjunction with other ZAP features to enhance the overall security assessment.
• WebSocket Testing: OWASP ZAP provides robust WebSocket testing capabilities, allowing users to intercept, analyze, and tamper with WebSocket traffic between the client and server. This feature is particularly useful for identifying vulnerabilities in WebSocket-based applications, ensuring comprehensive security coverage.

By leveraging these features, OWASP ZAP users can conduct thorough security assessments of their web applications, identifying and addressing potential vulnerabilities before they can be exploited.

How it Works

In its simplest form, ZAP sends requests to the application that mimic the attacks a malicious attacker would use. Based on the response received from the application, ZAP highlights any potential vulnerabilities.

The active scanner in OWASP ZAP actively probes web applications for vulnerabilities after initially crawling them with a passive scan.

Digging a bit deeper, there are a few ways to understand how it works:

Running Scans: Desktop vs. API

ZAP can run scans as a desktop application, or it can be deployed via API in an automated fashion. The ideal way to run scans is typically dependent on the way you intend to use ZAP. Penetration testers and security analysts will often run a one-off test, utilizing the ZAP desktop application to identify vulnerabilities. Within software engineering and enterprise security teams, ZAP is more frequently deployed via automation, ensuring regular security testing of the application and APIs.

For those new to ZAP, the ‘quick start automated scan’ feature in ZAP’s user interface allows users to quickly initiate scans on web applications without extensive configurations.

→ View the Getting Started Guide for ZAP (including Desktop scanning)

→ View the ZAP API Docs

Defining the Application: Paths and API Routes

After deciding how you want to run the scan, the next step is to help the scanner discover the application. There are a few components of this:

• URL / Target: This field tells ZAP where the application is running and what to scan
• Traditional Spider: When enabled, the traditional spider kicks off an HTML spider to find the various paths and forms within the application
• AJAX Spider: The AJAX spider executes the javascript within the application, looking for new paths or API routes. This is popular when the target applications are single-page apps or (AJAX) web applications.
• API Routes: With modern application architecture, API security testing has become increasingly important. Scans of REST and GraphQL APIs can be configured using the ZAP documentation.

With the application defined, you may be ready to run an initial scan. If your application requires authentication, however, you’ll need to configure that as well.

Authenticated Security Scanning

Many web applications require authentication to access. If this is the case, you will need to configure this within ZAP prior to running a scan. Otherwise, the scan will not test any paths or routes that are behind authentication protection.

ZAP supports various forms of authentication that cover the vast majority of application authentication instrumentations out there, including form-based authentication, script-based authentication, JSON-based authentication, and HTTP/NTLM based authentication

→ Learn about authentication for the Desktop application→ Learn about authentication when running ZAP via API

Tests Run by ZAP

ZAP runs testing to identify all of the major web application security vulnerabilities, such as SQL Injection, Cross-Site Scripting, Cross Site Request Forgery, and more. As an open source tool, ZAP has an ever growing list of tests that are run against the application and APIs to identify potential security vulnerabilities. 

→ View the list of tests run by ZAP

By default, ZAP scans include all of the tests in a Release status. Users, however, can choose to include rules that are included in alpha or beta status if they are interested.

Passive vs Active Scanning

Passive scans review all HTTP requests and responses from the application, looking for indicators of security vulnerabilities. These scans do not change anything about the requests, making passive scanning a safer option as it analyzes HTTP requests and responses without altering their content.

In the context of web application security testing using ZAP, passive vs active scanning is crucial. Passive scanning examines requests and responses without altering them, making it a safe option for identifying vulnerabilities during exploration. In contrast, active scanning involves executing known attacks to find more vulnerabilities, highlighting the need for permission when utilizing this method.

Active scans are definitely a better way to test for vulnerabilities in your application, as the test suite injects requests that will surface vulnerabilities. These scans are, however, actively attempting to attack the application, which may include creating or deleting data.

While passive scans are low risk, they also will not catch many potential vulnerabilities. By nature, these tests do not test for the most aggressive vulnerabilities, such as SQL Injection.

Additionally, the importance of a ZAP session cannot be overstated. Persisting the session datafrom scans to a local database allows for future access and management of testing configurations and results.

Use Caution when Scanning Production Applications

Ideally, teams should be testing their applications and APIs with active scans to find any potential vulnerabilities. There is a right way to do this, however, to ensure that the scan does not inflict harm on the production application.

Active scans should always be run against a pre-production build of the application. When testing a non-production environment, it does not matter if data is deleted, created, or if tables are dropped.

→ ZAP Passive Scan Documentation

→ ZAP Active Scan Documentation

Use Cases for ZAP AppSec and API Testing

ZAP is an application and API security testing tool that is used for a variety of purposes. As an open-source tool, it has been widely adopted, and its users have implemented it in creative ways. Below are some of the common reasons and ways that people are using ZAP.

Automated Application Security Testing

Software engineering and security teams frequently use ZAP in the CI/CD pipeline to test for security vulnerabilities in their applications and APIs during the build process. With ZAP instrumented in the DevOps (or DevSecOps) pipeline, vulnerabilities are caught before they are shipped to production.

OWASP Top 10 Prevention

For many companies, the first step in application security is ensuring that they are preventing the OWASP Top 10 Vulnerabilities. ZAP is an excellent tool for testing applications to find potential OWASP Top 10 vulnerabilities. In fact, ZAP has a page dedicated to how they help software teams ensure they are secure against the top 10.

Software Delivery Compliance

Many software companies have compliance requirements as defined by their customers or regulators. For example, it is common that SOC II compliance is required as part of a B2B software sale. These compliance requirements take different shapes, but often include provisions about security testing as part of the software delivery process. With ZAP instrumented in the SDLC, companies can achieve their various compliance requirements.

Penetration Testing and Manual Security Testing

ZAP is a favorite tool among penetration testers, whether internal to a company or part of an external firm. These individuals are hired to find vulnerabilities within an application before an attacker, preparing reports of what a company needs to fix. These individuals use ZAP to test applications and APIs for vulnerabilities.

Secure Software Development

Engineering teams want to deliver high quality software, which includes ensuring that software is secure. Many companies use ZAP to periodically test their software to identify security vulnerabilities. This can take a variety of forms, from scheduled ZAP scans to periodic manual reviews.

Bug Bounty Testing

Bug bounty programs, such as those facilitated by HackerOne or BugCrowd, are a strategy leveraged by many security teams to identify security gaps before an attacker can exploit them. Application security testing with tools such as ZAP can ensure that teams catch vulnerabilities before they are surfaced in a bug bounty program, increasing product security and reducing bug bounty payouts.

OWASP ZAP Tutorial and Other Resources:

Running your first security test with ZAP is simple. Download the ZAP desktop application, follow along with the Getting Started Guide, and run your first scan. Installers are available for different operating systems like Linux, Mac OS/X, and Windows, with the option to persist ZAP sessions when you install ZAP. For more complex configurations, check out the ZAP documentation.

→ Download ZAP Desktop

→ ZAP Getting Started Guide

→ ZAP Configuration

→ ZAP API Docs

→ ZAP Video Documentation

The ZAP community also plays a crucial role in supplying additional payloads for testing web applications, emphasizing the collaborative aspect of resource sharing among users. As with most popular open-source projects, the ZAP community is very active and something to be aware of and leverage as a user.

Alternatives to ZAP

While ZAP is the leading open source application security testing tool, there are several free and commercial alternatives that companies will choose. When choosing a dynamic application security testing tool, ZAP is often compared against:

• StackHawk : StackHawk is an application security testing software product built on top of ZAP. It leverages the power of the ZAP scanner and adds features to simplify automation in CI/CD and developer-first security. Learn more in our ZAP vs. StackHawk comparison guide .

• BurpSuite: Built by PortSwigger, BurpSuite is a dynamic application security testing tool that is popular among penetration testers. While BurpSuite has many features for manual testing (or even agent-based testing in the Enterprise product), ZAP is built for automation, APIs, and scalability.

• Veracode: Veracode is an enterprise security tool offering a suite of products, including SAST, DAST, SCA, and IAST. While Veracode is a popular security tool among enterprise security teams, it’s DAST offering is often criticized for its lack of automation and its inability to test modern application architectures.

• Rapid7: InsightAppSec is the dynamic application security testing tool from Rapid7. If you are using the Rapid7 platform and would like scanning of publicly available sites, Rapid7 can be a good choice.

• WhiteHat: Sentinel Dynamic is WhiteHat’s DAST product. If you are using the WhiteHat platform, the DAST product may be a valuable addition to that suite.

→ Read the Dynamic Application Security Testing: Overview and Tooling Guide