IT Get in touch

OWASP ZAP 2.4: open source web security scanner

OWASP Zed Attack Proxy (ZAP) 2.4 (September 2015): intercepting HTTP proxy, spider/crawler, active and passive scanner, fuzzing, automation via REST API. The OWASP Flagship project for application security testing.

Cyber SecurityOpen Source
Cyber SecurityOpen Source OWASPZAPWeb SecurityPenetration TestingCyber SecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

A proxy for application pentest

OWASP Zed Attack Proxy (ZAP) — launched in 2010 by Simon Bennetts as a fork of the ancient Paros Proxy — is OWASP’s flagship tool for web application penetration testing. Apache 2.0 licence. As of 2015 version 2.4 consolidates ZAP as the main open source alternative to Burp Suite (commercial, PortSwigger).

Architecture

ZAP is an intercepting HTTP/HTTPS proxy in Java. Configured as browser proxy, it intercepts all traffic enabling:

  • Spider — automatic application crawl to discover endpoints
  • AJAX Spider — SPA crawl with headless browser
  • Passive Scanner — non-intrusive analysis of each request/response (missing headers, exposed information, flag-less cookies)
  • Active Scanner — payload injection to test XSS, SQLi, path traversal, command injection, CSRF, SSRF, etc.
  • Fuzzer — parameter variation to discover anomalous behaviour
  • Intruder equivalent — automated attack with custom payloads

Automation

ZAP exposes a complete REST API enabling CI/CD pipeline integration:

  • zap-baseline.py — non-intrusive URL scan (ideal in CI)
  • zap-full-scan.py — full active scan
  • Official Docker imagesowasp/zap2docker-stable
  • GitHub Actions, Jenkins plugin, GitLab integration

This pattern makes ZAP usable for DevSecOps — every merge/release can be automatically tested.

Scripts and add-ons

The ZAP Marketplace distributes community and official add-ons:

  • Rule packs for standards (OWASP Top 10, PCI-DSS)
  • Integration with Sonar, Jira, TeamCity
  • Scripts in ECMAScript, Zest, Groovy, Python (Jython), Ruby (JRuby) for custom automation

OWASP governance

The project is part of the OWASP Foundation, non-profit. Development is community-driven with contributors worldwide. Checkmarx from 2018 to 2024 sponsored Simon Bennetts as lead; from 2024 the project enters the Software Security Project (SSP).

Use in the SDLC

ZAP covers several Software Development Life Cycle phases:

  • Development — proxy during local debug
  • CI/CD — automatic scans on every build
  • Pre-production — in-depth scans before go-live
  • Pentest — manual use by security engineer
  • Bug bounty — tool for independent researchers

In the Italian context

As of 2015 ZAP is adopted in Italy mainly by:

  • Software houses integrating security testing in CI/CD
  • PA in public portal audit programmes
  • National and corporate CERTs — exposed vulnerability verification

Commercial alternative Burp Suite remains preferred for professional “deep-dive” pentests; ZAP dominates for automation and entry-level scenarios.

References: OWASP ZAP 2.4 (September 2015). Simon Bennetts as lead (2010-2024). Apache 2.0 licence. Paros Proxy fork. OWASP Foundation. Official Docker images, GitHub Actions, Jenkins plugin. Software Security Project (from 2024).

Need support? Under attack? Service Status
Need support? Under attack? Service Status