OWASP ZAP
By OWASP
OWASP ZAP (Zed Attack Proxy) is a free, open-source dynamic application security testing (DAST) tool maintained by the OWASP Foundation, used to find security vulnerabilities in web applications during development and testing.
Definition
OWASP ZAP (Zed Attack Proxy) is a free, open-source dynamic application security testing (DAST) tool maintained by the OWASP Foundation, used to find security vulnerabilities in web applications during development and testing.
Overview
OWASP ZAP operates as an intercepting proxy that sits between a browser (or automated test suite) and a target web application, allowing testers to inspect, modify, and replay HTTP/HTTPS requests. Its automated scanner crawls an application and probes it for common vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS), which are consistently featured in the OWASP Top 10. Beyond automated scanning, ZAP provides manual testing tools including a request/response history, fuzzer, and scripting console for testers who want to probe specific application logic by hand — making it useful for both beginners learning web security and experienced testers performing deep manual assessments. Because it is free, open-source, and maintained by the same OWASP organization behind the OWASP Top 10, ZAP is widely adopted in CI/CD pipelines for automated security testing as well as in classroom settings, and it is a commonly used tool in courses like Web App Security OWASP and Veracode/Checkmarx-style application security workflows.
Key Features
- Intercepting proxy for inspecting and modifying HTTP/HTTPS traffic
- Automated active and passive scanning for common web vulnerabilities
- Manual testing tools including fuzzer, spider, and scripting console
- Free and open-source, maintained by the OWASP Foundation
- CI/CD integration for automated security testing in pipelines
- Extensible via a marketplace of community-built add-ons
- Beginner-friendly interface alongside advanced manual testing features