IT Get in touch

OWASP ZAP 2.4: Open Source web security scanner

OWASP Zed Attack Proxy (ZAP) 2.4 (June 2015): intercepting HTTP proxy, spider/crawler, active and passive scanner, fuzzing, automation via REST API. The OWASP Flagship project for application security testing.

CybersecurityOpen Source
CybersecurityOpen Source OWASPZAPWeb SecurityPenetration TestingCybersecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

A proxy for application pentest

OWASP Zed Attack Proxy (ZAP) — launched in 2010 by Simon Bennetts as a fork of the long-established Paros Proxy — is OWASP’s flagship tool for web application penetration testing. Apache 2.0 licence. As of 2015 version 2.4 consolidates ZAP as the main Open Source alternative to Burp Suite (commercial, PortSwigger).

Architecture

ZAP is an intercepting HTTP/HTTPS proxy in Java. Configured as browser proxy, it intercepts all traffic enabling:

  • Spider — automatic application crawl to discover endpoints
  • AJAX Spider — SPA crawl with headless browser
  • Passive Scanner — non-intrusive analysis of each request/response (missing headers, exposed information, flag-less cookies)
  • Active Scanner — payload injection to test XSS, SQLi, path traversal, command injection, CSRF, SSRF, etc.
  • Fuzzer — parameter variation to discover anomalous behaviour
  • Intruder equivalent — automated attack with custom payloads

Automation

ZAP exposes a complete REST API enabling CI/CD pipeline integration:

  • zap-baseline.py — non-intrusive URL scan (ideal in CI)
  • zap-full-scan.py — full active scan
  • Official Docker imagesowasp/zap2docker-stable
  • GitHub Actions, Jenkins plugin, GitLab integration

This pattern makes ZAP usable for DevSecOps — every merge/release can be automatically tested.

Scripts and add-ons

The ZAP Marketplace distributes community and official add-ons:

  • Rule packs for standards (OWASP Top 10, PCI-DSS)
  • Integration with Sonar, Jira, TeamCity
  • Scripts in ECMAScript, Zest, Groovy, Python (Jython), Ruby (JRuby) for custom automation

OWASP governance

The project is part of the OWASP Foundation, non-profit. Development is community-driven with contributors worldwide and Simon Bennetts as project lead.

Use in the SDLC

ZAP covers several Software Development Life Cycle phases:

  • Development — proxy during local debug
  • CI/CD — automatic scans on every build
  • Pre-production — in-depth scans before go-live
  • Pentest — manual use by security engineer
  • Bug bounty — tool for independent researchers

In the Italian context

As of 2015 ZAP is adopted in Italy mainly by:

  • Software houses integrating security testing in CI/CD
  • PA in public portal audit programmes
  • National and corporate CERTs — exposed vulnerability verification

Commercial alternative Burp Suite remains preferred for professional “deep-dive” pentests; ZAP dominates for automation and entry-level scenarios.

References: OWASP ZAP 2.4 (June 2015). Simon Bennetts as lead since 2010. Apache 2.0 licence. Paros Proxy fork. OWASP Foundation. Official Docker images, GitHub Actions, Jenkins plugin.

Need support? Under attack? Service Status
Need support? Under attack? Service Status