provocativo_
back to the arsenal
// arsenal·Web AppSecBeginnerFOSS

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

Web AppSec

$ owasp-zap --help

OWASP ZAP

// what it is

Description

Originally 'Zed Attack Proxy', now under the Software Security Project. Java-based intercepting proxy + scanner + fuzzer with a strong CI integration story (zap-baseline.py, zap-full-scan.py) and an excellent automation API.

// use cases

What people use it for

  • Automated baseline scans in CI/CD
  • Free intercepting proxy for learning
  • OWASP CRS pre-flight checks against staging

// commands

The commands you'll type

Baseline scan in CI

$ docker run -t owasp/zap2docker-stable zap-baseline.py -t https://target.tld

// facts

category
Web AppSec
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Beginner

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Freemium
LIN·WIN·MAC
open entry →
Web AppSecBeginner

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecIntermediate

sqlmap

Automated SQL-injection exploitation — fingerprints DB, dumps tables, opens OS shells.

FOSS
LIN·WIN·MAC
open entry →