OWASP ZAP
What is OWASP ZAP?
OWASP ZAPZed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
OWASP Zed Attack Proxy (ZAP) is an open-source dynamic application security testing (DAST) tool that acts as an intercepting proxy, automated scanner, and fuzzer for web applications and APIs. ZAP supports automated scans, manual testing through a Burp-style interface, scripting in JavaScript, Python, and other languages, REST automation via the ZAP API, and CI/CD integration through Docker images and GitHub Actions. Stewardship moved from the OWASP project to Checkmarx in 2024 while ZAP remains free and open source under the Apache 2.0 license. Security teams use ZAP for nightly DAST in pipelines, penetration tests, and training.
● Examples
- 01
Running a ZAP baseline scan in a GitHub Actions workflow to flag obvious misconfigurations on every pull request.
- 02
Using the ZAP HUD to intercept and modify a GraphQL request during a manual pentest.
● Frequently asked questions
What is OWASP ZAP?
Zed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP ZAP mean?
Zed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
How does OWASP ZAP work?
OWASP Zed Attack Proxy (ZAP) is an open-source dynamic application security testing (DAST) tool that acts as an intercepting proxy, automated scanner, and fuzzer for web applications and APIs. ZAP supports automated scans, manual testing through a Burp-style interface, scripting in JavaScript, Python, and other languages, REST automation via the ZAP API, and CI/CD integration through Docker images and GitHub Actions. Stewardship moved from the OWASP project to Checkmarx in 2024 while ZAP remains free and open source under the Apache 2.0 license. Security teams use ZAP for nightly DAST in pipelines, penetration tests, and training.
How do you defend against OWASP ZAP?
Defences for OWASP ZAP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP ZAP?
Common alternative names include: Zed Attack Proxy, ZAP.
● Related terms
- appsec№ 273
DAST (Dynamic Application Security Testing)
Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.
- compliance№ 782
OWASP WSTG
The OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- compliance№ 776
OWASP Dependency-Check
An open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
- appsec№ 166
CI/CD Security
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.