ZAP Overview: Open Source Application Security Testing
ZAP (sometimes referred to as Zed Attack Proxy or OWASP ZAP) is an open source application security testing tool that is popular among software developers, enterprise security teams, and penetration testers alike. ZAP was founded in 2010 by Simon Bennetts. Since then, ZAP has grown to become an industry standard and the most widely used application security scanner.
Specifically, ZAP is a dynamic application security testing tool, which means that it runs active tests against the running application. These tests identify potential security vulnerabilities within the application and backing APIs, equipping engineers with the information to fix any found issues.
One thing that sets ZAP apart from other web application security testing tools is its ability to be automated. While it is still frequently used by penetration testers or individuals running manual security tests, ZAP’s automation via API has allowed it to be used at scale within engineering teams such as Facebook, Intuit, and more.
This post provides an in depth overview to ZAP, covering the following topics:
How it Works
Use Cases for ZAP
How to Get Started
Alternatives to ZAP
How it Works
In its simplest form, ZAP sends requests to the application that mimic the attacks a malicious attacker would use. Based on the response received from the application, ZAP highlights any potential vulnerabilities.
Digging a bit deeper, there are a few ways to understand how it works:
Running Scans: Desktop vs. API
ZAP can run scans as a desktop application, or it can be deployed via API in an automated fashion. The ideal way to run scans is typically dependent on the way you intend to use ZAP. Penetration testers and security analysts will often run a one-off test, utilizing the ZAP desktop application to identify vulnerabilities. Within software engineering and enterprise security teams, ZAP is more frequently deployed via automation, ensuring regular security testing of the application and APIs.
→ View the Getting Started Guide for ZAP (including Desktop scanning)
→ View the ZAP API Docs
Defining the Application: Paths and API Routes
After deciding how you want to run the scan, the next step is to help the scanner discover the application. There are a few components of this:
URL / Target: This field tells ZAP where the application is running and what to scan
Traditional Spider: When enabled, the traditional spider kicks off an HTML spider to find the various paths and forms within the application
Ajax Spider: The ajax spider executes the javascript within the application, looking for new paths or API routes. This is popular when the target application is a single page app.
API Routes: With modern application architecture, API security testing has become increasingly important. Scans of REST and GraphQL APIs can be configured using the ZAP documentation.
With the application defined, you may be ready to run an initial scan. If your application requires authentication, however, you’ll need to configure that as well.
Authenticated Security Scanning
Many web applications require authentication to access. If this is the case, you will need to configure this within ZAP prior to running a scan. Otherwise, the scan will not test any paths or routes that are behind authentication protection.
ZAP supports various forms of authentication that cover the vast majority of application authentication instrumentations out there, including form-based authentication, script-based authentication, JSON-based authentication, and HTTP/NTLM based authentication
→ Learn about authentication for the Desktop application→ Learn about authentication when running ZAP via API
Tests Run by ZAP
ZAP runs testing to identify all of the major web application security vulnerabilities, such as SQL Injection, Cross-Site Scripting, Cross Site Request Forgery, and more. As an open source tool, ZAP has an ever growing list of tests that are run against the application and APIs to identify potential security vulnerabilities.
→ View the list of tests run by ZAP
By default, ZAP scans include all of the tests in a Release status. Users, however, can choose to include rules that are included in alpha or beta status if they are interested.
Active vs. Passive Scans
Passive scans review all HTTP requests and responses from the application, looking for indicators of security vulnerabilities. These scans do not change anything about the requests. Active scans, on the other hand, will create and modify requests being sent to the application, sending test requests that will surface vulnerabilities that would not be caught in a passive scan.
Active scans are definitely a better way to test for vulnerabilities in your application, as the test suite injects requests that will surface vulnerabilities. These scans are, however, actively attempting to attack the application, which may include creating or deleting data.
While passive scans are low risk, they also will not catch many potential vulnerabilities. By nature, these tests do not test for the most aggressive vulnerabilities, such as SQL Injection.
Use Caution when Scanning Production Applications
Ideally, teams should be testing their applications and APIs with active scans to find any potential vulnerabilities. There is a right way to do this, however, to ensure that the scan does not inflict harm on the production application.
Active scans should always be run against a pre-production build of the application. When testing a non-production environment, it does not matter if data is deleted, created, or if tables are dropped.
→ ZAP Passive Scan Documentation
→ ZAP Active Scan Documentation
Use Cases for ZAP AppSec and API Testing
ZAP is an application and API security testing tool that is used for a variety of purposes. As an open source tool, it has wide adoption and its users have implemented it in creative ways. Below are some of the common reasons and ways that people are using ZAP.
Automated Application Security Testing
Software engineering and security teams frequently use ZAP in the CI/CD pipeline to test for security vulnerabilities in their applications and APIs during the build process. With ZAP instrumented in the DevOps (or DevSecOps) pipeline, vulnerabilities are caught before they are shipped to production.
OWASP Top 10 Prevention
For many companies, the first step in application security is ensuring that they are preventing the OWASP Top 10 Vulnerabilities. ZAP is an excellent tool for testing applications to find potential OWASP Top 10 vulnerabilities. In fact, ZAP has a page dedicated to how they help software teams ensure they are secure against the top 10.
Software Delivery Compliance
Many software companies have compliance requirements as defined by their customers or regulators. For example, it is common that SOC II compliance is required as part of a B2B software sale. These compliance requirements take different shapes, but often include provisions about security testing as part of the software delivery process. With ZAP instrumented in the SDLC, companies can achieve their various compliance requirements.
Penetration Testing
ZAP is a favorite tool among penetration testers, whether internal to a company or part of an external firm. These individuals are hired to find vulnerabilities within an application before an attacker, preparing reports of what a company needs to fix. These individuals use ZAP to test applications and APIs for vulnerabilities.
Secure Software Development
Engineering teams want to deliver high quality software, which includes ensuring that software is secure. Many companies use ZAP to periodically test their software to identify security vulnerabilities. This can take a variety of forms, from scheduled ZAP scans to periodic manual reviews.
Bug Bounty Testing
Bug bounty programs, such as those facilitated by HackerOne or BugCrowd, are a strategy leveraged by many security teams to identify security gaps before an attacker can exploit them. Application security testing with tools such as ZAP can ensure that teams catch vulnerabilities before they are surfaced in a bug bounty program, increasing product security and reducing bug bounty payouts.
Getting Started and Other Resources
Running your first security test with ZAP is simple. Download the ZAP desktop application, follow along with the Getting Started Guide, and run your first scan. For more complex configuration, check out the ZAP documentation.
Alternatives to ZAP
While ZAP is the leading open source application security testing tool, there are several free and commercial alternatives that companies will choose. When choosing a dynamic application security testing tool, ZAP is often compared against:
StackHawk: StackHawk is an application security testing software product built on top of ZAP. It leverages the power of the ZAP scanner and adds features to simplify automation in CI/CD and developer-first security. Learn more in our ZAP vs. StackHawk comparison guide.
BurpSuite: Built by PortSwigger, BurpSuite is a dynamic application security testing tool that is popular among penetration testers. While BurpSuite has many features for manual testing (or even agent-based testing in the Enterprise product), ZAP is built for automation, APIs, and scalability.
Veracode: Veracode is an enterprise security tool offering a suite of products, including SAST, DAST, SCA, and IAST. While Veracode is a popular security tool among enterprise security teams, it’s DAST offering is often criticized for its lack of automation and its inability to test modern application architectures.
Rapid7: InsightAppSec is the dynamic application security testing tool from Rapid7. If you are using the Rapid7 platform and would like scanning of publicly available sites, Rapid7 can be a good choice.
WhiteHat: Sentinel Dynamic is WhiteHat’s DAST product. If you are using the WhiteHat platform, the DAST product may be a valuable addition to that suite.
→ Read the Dynamic Application Security Testing: Overview and Tooling Guide
