$devvkit learn --librarie owasp-zap-guide
OWASP ZAP Guide
[security][web][scanner][pentest]
Security & Cryptography
Install
# Download from zaproxy.org/download/ # macOS: brew install --cask zap # Docker: docker pull ghcr.io/zaproxy/zaproxy # Linux/WSL: download and run zap.sh
ZAP (Zed Attack Proxy) sits between your browser and the target web app, intercepting traffic to identify vulnerabilities: XSS, SQL injection, CSRF, insecure headers, missing CORS, and more. It works as both an intercepting proxy and an automated scanner.
The Quick Start tab has an "Automated Scan" — enter a URL and ZAP spiders the site, passively scans every request/response, and actively attacks discovered endpoints. Use the HUD (Heads-Up Display) overlay for in-browser control.
ZAP runs headless in CI via `zap.sh -cmd -quickurl https://example.com -quickout report.html`. The Docker image is ideal for CI pipelines. OpenAPI and GraphQL support auto-imports API definitions. GUI: ZAP Desktop UI, Burp Suite Community (alternative).
Automated Scan
Quick automated scan— Spider + passive + active scan.
# CLI: zap.sh -cmd -quickurl https://example.com -quickout report.html # Or in Docker: docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy \ zap.sh -cmd -quickurl https://example.com \ -quickout /zap/wrk/report.html # JSON report: -quickout /zap/wrk/report.json
Passive scan rules— Check security headers.
# Disable specific rules (noisy ones): -config rules.cookie.set.alert=false -config rules.csrf.alert=false # Enable all passive scan rules (in zap.conf): # See: /zap/configs/scripts/ for custom scripts # Check for missing headers automatically: # ZAP flags: missing X-Frame-Options, X-Content-Type-Options, CSP, HSTS
Export results— Multiple report formats.
# HTML report: -quickout /zap/wrk/report.html # JSON (for further processing): -quickout /zap/wrk/report.json # SARIF (GitHub Code Scanning): zap.sh -cmd -quickurl https://example.com \ -quickout /zap/wrk/report.sarif.json
HUD Mode
HUD (Heads-Up Display)— In-browser attack UI.
# Enable HUD in ZAP Desktop: # Tools → HUD → Enable HUD # Or pass to CLI: zap.sh -hud # HUD overlays your browser with: # - Alert count badges # - Break/Continue buttons (intercept requests) # - Quick attack buttons (XSS, SQLi, etc.) # - History explorer # Tutorial at: https://github.com/zaproxy/zap-hud
API Scan
Docker with API scan— Scan with OpenAPI spec.
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy \ zap-api-scan.py -t https://example.com/openapi.json \ -f openapi -r /zap/wrk/api-report.html # GraphQL: zap-graphql-scan.py -t https://example.com/graphql \ -r report.html # With authentication: -C "Bearer token123"
CI / Docker
CI integration— GitHub Actions / Jenkins.
# GitHub Actions (zap-full-scan.yml): # uses: zaproxy/action-full-scan@v0 # with: # target: "https://staging.example.com" # rules_file_name: ".zap/rules.tsv" # Fail on high/critical alerts: docker run -v $(pwd):/zap/wrk:rw \ -e ZAP_JVM_OPTS="-Dzap.failOnAlert=High" \ ghcr.io/zaproxy/zaproxy zap-full-scan.py \ -t https://example.com -r /zap/wrk/report.html -I # Disable active scan (passive only, faster)
Alert filtering— Ignore false positives.
# .zap/rules.tsv (tab-separated) # RuleId NewLevel NewConfidence Description 10055 IGNORE IGNORE # CORS header: ignore 10038 FALSE MEDIUM # CSP: mark as false positive # Apply: -config "rulesfile=/zap/wrk/.zap/rules.tsv"
Manual Testing
Context + auth— Scan authenticated pages.
# Desktop workflow: # 1. Right-click site → "Include in Context" # 2. Configure authentication (form-based, cookie, OAuth) # 3. Set logged-in/out indicators # 4. Run spider + active scan within context # CLI with env vars: export ZAP_AUTH_HEADER="Value" -config view.authentication.header.header_name=X-API-Key -config view.authentication.header.header_value=secret