OWASP ZAP: Web Application Security Testing

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner. It sits between your browser and the target application as an intercepting proxy, letting you inspect, modify, and replay HTTP requests while also providing automated scanning capabilities. For teams that cannot afford commercial tools like Burp Suite Professional, ZAP is a capable alternative with strong community support.

Setting Up and Spidering

Install ZAP and configure your browser to use it as a proxy (default: localhost:8080). Install the ZAP root CA certificate in your browser to intercept HTTPS traffic without certificate errors.

Before running any scan, spider the application to build a site map. ZAP offers two spidering modes:

Traditional Spider follows links and submits forms to discover pages. It works well for server-rendered applications but misses content loaded dynamically by JavaScript.

AJAX Spider uses a real browser (Firefox or Chrome) to render pages and discover content loaded by JavaScript frameworks. This is slower but catches routes in React, Angular, and Vue applications that the traditional spider would miss.

Configure authentication before spidering. ZAP supports form-based authentication, script-based authentication, and JSON-based authentication for APIs. Set up the login mechanism, define logged-in/logged-out indicators, and ZAP will maintain authenticated sessions throughout scanning.

Active vs. Passive Scanning

Passive scanning analyzes traffic as it passes through the proxy without sending additional requests. It identifies issues like missing security headers, information disclosure in responses, cookie flag problems, and content type mismatches. Passive scanning is safe to run against production systems because it adds no traffic.

Active scanning sends attack payloads to the application to test for vulnerabilities: SQL injection, XSS, path traversal, command injection, and more. Active scanning will send thousands of malicious requests to every parameter it finds. Only run active scans against applications you have explicit authorization to test.

Configure the active scan policy to match your engagement. Disable checks that are not relevant (skip SQL injection tests on a static site), increase the strength for priority vulnerability classes, and set thread counts appropriate for the target’s capacity.

Scripting and Customization

ZAP’s scripting engine supports JavaScript, Python (via Jython), Ruby, and Groovy. Scripts extend ZAP’s functionality in several ways:

• Active scan rules: custom vulnerability checks for application-specific issues
• Passive scan rules: flag patterns in responses that matter to your organization
• Authentication scripts: handle complex login flows (MFA, CSRF tokens, OAuth)
• HTTP sender scripts: modify requests before they are sent (add headers, transform payloads)
• Targeted scripts: attack specific parameters with custom logic

Write custom scan rules for business logic vulnerabilities that automated scanners miss: IDOR (insecure direct object references), privilege escalation through parameter manipulation, and rate limiting bypass.

CI/CD Integration

ZAP’s headless mode and API make it straightforward to integrate into CI/CD pipelines. The ZAP Docker image runs without a GUI and exposes a REST API for automation.

A typical pipeline integration:

1. Deploy the application to a staging environment 2. Start ZAP in daemon mode 3. Run the AJAX spider against the staging URL 4. Execute an active scan 5. Generate a report and fail the build if high-severity findings are present

Use the ZAP Automation Framework (AF) to define scan configurations as YAML files. This makes scan configurations version-controlled, reproducible, and reviewable alongside application code.

Set baseline scan profiles that check for common issues without running a full active scan — these complete in minutes rather than hours and are suitable for every pull request. Reserve full scans for nightly or release builds.

ZAP proficiency applies to Web Penetration Tester and DevSecOps career paths. Pentesters use ZAP for manual and automated web app assessments, while DevSecOps engineers integrate it into build pipelines.

Next Steps

• Evaluate your web security testing skills with the skills assessment
• Browse web security topics in the skills library
• Plan your certifications with the certificate roadmap — OSWA and GWAPT cover web app testing extensively

Related Guides in This Series

• Binary Exploitation: From Buffer Overflows to Modern Techniques — HADESS | 2026
• Low-Level Exploitation: Kernel, Driver, and Firmware Attacks — HADESS | 2026
• Penetration Testing Methodology: Scoping Through Reporting

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.