The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
The quickest way to get going with ZAP is to use the Quick Start add-on, which is installed by default. This allows you to enter a URL which ZAP will first spider and then active scan. For a more in depth test you should explore your application using your browser or automated regression tests while proxying through ZAP.
At its heart ZAP is an intercepting proxy. You need to configure your browser to connect to the web application you wish to test through ZAP. If required you can also configure ZAP to connect through another proxy – this is often necessary in a corporate environment.
If you know how to set up proxies in your web browser then go ahead and give it a go! If you are unsure then have a look at the Configuring proxies section.
Once you have configured ZAP as your browser’s proxy then try to connect to the web application you will be testing. If you can not connect to it then check your proxy settings again. You will need to check your browser’s proxy settings, and also ZAP’s proxy settings. Its also worth checking that the application that you are trying to test is running!
When you have successfully connected to your application via your browser then have a look at ZAP again. You should now see one or more lines in the Sites and History tabs. If so we’re in business. If not then you’ll need to check your proxy settings again.
The next thing to do is to start a basic penetration test…..