OWASP ZAP Core Operations

Essential operations and features of OWASP ZAP for web application security testing

OWASP Zed Attack Proxy (ZAP) is a powerful open-source web application security testing tool that functions as an intercepting proxy. This guide covers the core operations and essential features of OWASP ZAP for effective security testing.

Overview of Core Operations

OWASP ZAP provides several key operational modes and features:

  1. Proxying: Intercepting and modifying HTTP/HTTPS traffic between browser and web application
  2. Automated Scanning: Discovering vulnerabilities through automated active and passive scanning
  3. Spider/Crawler: Discovering the attack surface of web applications
  4. Manual Testing: Tools for manual security testing and exploration
  5. Reporting: Generating comprehensive security reports

User Interface Overview

The ZAP interface is divided into several key sections:

Main Components

  • Menu Bar: Access to all ZAP features and configurations
  • Toolbar: Quick access to commonly used functions
  • Tree Panel: Hierarchical view of sites being tested
  • Workspace Panel: Displays details of selected items
  • Information Panel: Shows details about requests, responses, and discovered issues
  • Footer: Status information and quick filters

ZAP Main Interface

Setting Up the Proxy

The proxy is ZAP's core feature, allowing you to intercept and analyze HTTP/HTTPS traffic.

1
Configure Proxy Settings
  1. Go to Tools > Options > Network > Local Servers/Proxies
  2. Verify the address (default: 127.0.0.1) and port (default: 8080)
  3. Click OK to save changes
2
Configure Browser

There are multiple ways to configure your browser to use ZAP as a proxy:

Manual Configuration:

  1. Open your browser's network settings
  2. Set HTTP/HTTPS proxy to 127.0.0.1:8080

Using ZAP's Browser Launch Feature:

  1. Go to Tools > Launch Browser
  2. Select your preferred browser
  3. ZAP will launch the browser with the correct proxy settings

Using ZAP's Quick Start Tab:

  1. Go to the Quick Start tab
  2. Enter the URL to attack
  3. Click Launch Browser
3
Install SSL Certificate

To intercept HTTPS traffic without browser warnings:

  1. Go to Tools > Options > Network > Server Certificates
  2. Click Generate if you haven't created a certificate
  3. Click Save to export the certificate
  4. Import the certificate into your browser or operating system

Alternative Method:

  1. Navigate to http://zap/ in your proxied browser
  2. Click on Download ZAP Root CA Certificate
  3. Follow browser-specific instructions to install the certificate

Note:

For mobile devices or other systems, you may need to configure a proxy and install the ZAP certificate manually. See the Mobile Testing guide for details.

Exploring Web Applications

Using the Spider

The Spider automatically discovers content and functionality in web applications:

Spider → Discovers URLs → Builds site map → Identifies entry points

Traditional Spider

The traditional spider crawls web applications by parsing HTML and following links.

To use the traditional spider:

  1. Right-click on a target in the Sites tree
  2. Select Attack > Spider
  3. Configure options:
    • Max depth: How deep to crawl (default: 5)
    • Thread count: Number of concurrent threads (default: 2)
    • Context: Select a context if defined
    • User: Select a user if authentication is required
  4. Click Start Scan

View results:

  • Go to the Spider tab to see discovered URLs
  • The Sites tree will be updated with new content

Common options:

  • Scope: Limit crawling to in-scope targets
  • Parse robots.txt: Discover URLs from robots.txt
  • Parse sitemap.xml: Discover URLs from sitemap.xml
  • Process forms: Submit forms with default values

Manual Exploration

Manual exploration allows you to browse the application while ZAP records traffic:

  1. Configure your browser to use ZAP as a proxy
  2. Browse the application normally
  3. All traffic will appear in the History tab
  4. The Sites tree will be populated with discovered resources

Note:

Manual exploration is essential for understanding application flow and discovering functionality that automated tools might miss.

Passive Scanning

Passive scanning analyzes HTTP messages without sending additional requests:

HTTP Traffic → Passive Scanner → Analyzes content → Reports issues

How Passive Scanning Works

  1. ZAP automatically analyzes all traffic passing through the proxy
  2. It applies passive scan rules to identify potential issues
  3. Discovered issues appear in the Alerts tab
  4. No additional requests are sent to the target

Configuring Passive Scan Rules

  1. Go to Tools > Options > Passive Scanner
  2. Enable or disable specific rules
  3. Adjust the scan strength and threshold for each rule
  4. Configure scan only in scope if desired

Common Passive Scan Findings

  • Information disclosure
  • Insecure headers
  • Cookie issues
  • Content security policy problems
  • Sensitive data in HTML/JavaScript
  • Outdated libraries

Active Scanning

Active scanning sends test requests to identify vulnerabilities:

Target → Active Scanner → Sends test requests → Analyzes responses → Reports vulnerabilities
1
Start an Active Scan
  1. Right-click on a target in the Sites tree
  2. Select Attack > Active Scan
  3. Configure scan options:
    • Policy: Select a scan policy
    • Context: Select a context if defined
    • User: Select a user if authentication is required
    • Recurse: Scan all nodes under the selected target
  4. Click Start Scan
2
Monitor Scan Progress
  1. Go to the Active Scan tab
  2. View the progress of the scan
  3. See which rules are being applied
  4. Check the number of requests sent
3
Review Results
  1. Go to the Alerts tab
  2. Review identified vulnerabilities
  3. Sort by risk level
  4. Examine details of each alert

Scan Policies

Scan policies determine which active scan rules are used:

Default Policy

The default policy includes a balanced set of scan rules suitable for most applications.

Categories included:

  • Injection flaws (SQL, NoSQL, Command, etc.)
  • Cross-site scripting (XSS)
  • Path traversal
  • Server-side request forgery (SSRF)
  • XML external entity (XXE)
  • And many more

Context and Scope

Contexts and scopes help focus your testing on specific targets:

Setting Up a Context

  1. Right-click on a site in the Sites tree
  2. Select Include in Context > New Context
  3. Name your context
  4. Configure context properties:
    • Include/Exclude URLs: Define the boundaries
    • Authentication: Set up authentication methods
    • Session Management: Configure session handling
    • Users: Define users for authenticated testing
    • Technology: Specify technologies used by the application
    • Authorization: Define authorization rules

Defining Scope

  1. Right-click on a site or URL in the Sites tree
  2. Select Add to Scope
  3. Alternatively, go to Tools > Options > Scope
  4. Add include/exclude regex patterns

Note:

Setting the scope is crucial for focused testing. Many ZAP features can be configured to work only on in-scope items.

Authentication

ZAP supports various authentication methods for testing secure areas:

Form-Based Authentication

Configure form-based authentication:

  1. Go to the context properties
  2. Select Authentication
  3. Choose Form-based Authentication
  4. Configure:
    • Login URL: The URL of the login page
    • Login Request POST Data: The form parameters
    • Username Parameter: Parameter name for username
    • Password Parameter: Parameter name for password
    • Logged In/Out Indicators: Regex patterns to detect login state

Example configuration:

  • Login URL: https://example.com/login
  • POST Data: username=%username%&password=%password%
  • Logged In Indicator: Logout|Welcome
  • Logged Out Indicator: Login|Sign in

Setting Up Users

  1. Go to the context properties
  2. Select Users
  3. Click Add to create a new user
  4. Configure:
    • Name: User identifier
    • Username: Authentication username
    • Password: Authentication password
  5. Enable the user for testing

Session Management

ZAP offers various session management methods:

  1. Cookie-Based: Default method, tracks cookies automatically
  2. HTTP Authentication: Maintains HTTP authentication
  3. Script-Based: Custom session handling via scripts

To configure:

  1. Go to the context properties
  2. Select Session Management
  3. Choose the appropriate method
  4. Configure method-specific settings

Next Steps

Now that you understand the core operations of OWASP ZAP, explore these topics: