OWASP ZAP for beginners: how to conduct a web application security audit

Ekaterina Gainullina, Security Vision

Introduction

In recent years, there has been a noticeable increase in interest in roles such as application security engineer, DevSecOps engineer, and penetration tester. It is such specialists who integrate security mechanisms into the software development and operation processes, identify vulnerabilities at an early stage and help prevent potential attacks.

One of the most common tools for training and practical testing of web application security is OWASP ZAP (Zed Attack Proxy). This free and open source security scanner is widely used by both professionals and novice specialists to find vulnerabilities in web applications. Mastering OWASP ZAP is recommended not only for information security engineers, but also for developers, DevOps specialists, and testers interested in creating truly secure services. At Security Vision, we support security with this tool, as well as use our OWASP top 10 scripts to compare scan results in pentest mode.

This article discusses a practical approach to using OWASP ZAP for web application security auditing. The material is intended for students, developers, and anyone who wants to master modern secure development tools.

Installation and preparation for operation

Requirements

For OWASP ZAP to work properly, the user will need a modern computer with one of the popular operating systems.: Windows, Linux, or macOS. One of the key advantages of the tool is its cross-platform functionality: developers can easily deploy ZAP in almost any work environment. At the same time, you need to make sure that Java version 11 or higher is installed on the system. On Windows and macOS, OWASP ZAP distributions most often already include a suitable Java version, which greatly simplifies the launch of the program for novice users. In the case of Linux, especially if you are using a distribution focused on manual configuration, Java may need to be installed separately.

Many tutorials and courses on web application security recommend practicing on specially created vulnerable applications such as OWASP Juice Shop. For their fast and secure installation, Docker is the most convenient today — a universal containerization environment that allows you to deploy test benches without complex dependencies and risk to the main system. The presence of Docker is especially useful when organizing training labs and workshops.

For a deeper analysis of modern web applications using active JavaScript and dynamic interfaces, you may need the so-called AJAX Spider, an additional ZAP module that requires an installed Firefox or Chrome browser to work correctly. This is due to the fact that many modern websites build their content on the fly, and only with the help of a real browser can such pages be correctly crawled and analyzed.

Installing OWASP ZAP

The OWASP ZAP installation process is simplified as much as possible for a user of any qualification. On Windows, it is enough to download the distribution package from the official website of the project and follow the standard installation steps familiar to most programs: language selection, confirmation of the license agreement and catalog selection. After the installation is complete, the program becomes available from the Start menu or via the desktop icon. For those who prefer to work from the command line, there is an alternative quick installation option using the Winget package manager, which is especially convenient when deploying ZAP on a large number of workstations.

Linux users are offered several installation methods at once. The easiest way for most distributions is to use the Snap package, which adds ZAP to the system with a single command. Fans of the classical approach can download the archive from the official website, unpack it and run the program using a script. zap.sh. In addition, for Linux distributions that support Flatpak, ZAP can be installed from Flathub, which also takes only a couple of minutes.

On macOS, installation is not difficult: just download the .dmg file, “drag” the application icon into the Applications folder and run the program like any other application. For users who prefer automation, installation via Homebrew is provided — just one command in the terminal is enough for ZAP to appear in the system.

It is important to remember that if a message appears when launching ZAP stating that a suitable Java version has not been found, you will need to install it separately. It is recommended to use a modern and secure OpenJDK distribution, for example, Adoptium or Azul.

Initial launch and basic setup

Immediately after installation and the first launch, ZAP suggests deciding whether to save the current work session. For the first experiments, it is enough to select “No, I do not want to persist this session at this moment in time” so as not to be distracted by managing session files. In the future, when you need to conduct long or repetitive audits, you can enable session saving to conveniently return to previous results.

At the first launch, ZAP offers you to choose whether to save the work session. For test purposes, it is convenient to select ‘No’

Before starting ful-fledged work, it is recommended to update all installed ZAP add-ons and modules – this ensures that the checks are up-to-date and compatible with new security standards. To do this, go to the Manage Add-ons section in the main menu and select Update All. This operation takes only a few minutes, but it allows you to be sure that the tool will search for even the most recent vulnerabilities.

Updating OWASP ZAP modules via 'Manage Add-ons'. Regular updates expand functionality and improve the quality of analysis

Next, you should set up your work environment. The key feature of ZAP is working in proxy server mode. By default, the program listens for connections at the address 127.0.0.1, port 8080. In order to intercept and analyze traffic, the user's browser must be configured to use this proxy. The browser's network settings (for example, Chrome) specify the manual configuration: HTTP Proxy — 127.0.0.1, Port — 8080. After that, all traffic between the browser and the target application will automatically pass through the ZAP, allowing you to capture and analyze any interactions.

When working with secure connections (HTTPS), you will need to add a trusted ZAP certificate to your browser settings. This is necessary to decrypt encrypted traffic and analyze it later. ZAP has a special wizard for generating such a certificate (Tools → Options → Dynamic SSL Certificates), after which it can be imported into the browser as a trusted certificate authority. For Firefox, for example, this is done through the “Privacy and Security” menu — the “Certificates” section. This procedure is standard for most audit tools and is required only once for each browser.

Checking the work and starting the audit

You can verify that the settings are correct by opening any website in your browser. If the ZAP is configured correctly, the corresponding address will appear in the “Site Tree” structure, and the program will display the intercepted requests. This means that the tool is ready for full-fledged analysis. If you are using an educational application such as OWASP Juice Shop, it is enough to launch it (most often via Docker), and then enter its address in a browser running through the ZAP proxy.

This setup takes only 10-15 minutes, after which the user receives a full-fledged web application security audit tool, ready to work with both simple test benches and real projects.

Basic OWASP ZAP functions and interface

The OWASP ZAP interface is designed to be understandable to both experienced information security professionals and novice users. All the main elements are located in the central part of the program window and allow you to quickly navigate when working with the tool.

Main tabs and panels

  ·  Quick Start — the start tab that opens when ZAP starts. With its help, the user can quickly start scanning a new web application by specifying the URL of the target site and selecting the desired type of analysis. This is where an audit most often begins, especially when conducting basic checks or learning how to work with a tool.

  ·  Site Tree is the "site tree" located on the left side of the window. All detected pages, directories, and resources found during the application crawl are displayed here. Thanks to this structure, the user can easily see the architecture of the analyzed site, quickly navigate to the pages of interest to him and run additional checks for individual nodes.

  ·  Request/Response — a set of tabs where you can view intercepted requests and responses between the browser and the server. For security professionals, this panel is especially valuable because it allows you to analyze traffic content in detail, check query parameters, and experiment with manual changes.

  ·  Alerts is one of the most important tabs where all found vulnerabilities and problems are displayed, grouped by risk level and type. Each Alert contains a detailed description of the problem, a link to the affected page, the level of risk, and recommendations for troubleshooting.

OWASP ZAP interface: on the left is the site tree, in the center is the quick launch toolbar, and on the bottom is the query history and vulnerabilities found

Passive and active scanning

OWASP ZAP implements two main analysis modes: passive and active scanning.

Passive scanning takes place in the background during any user interaction with the site via the ZAP proxy. In this mode, the tool only monitors the passing traffic and looks for standard signs of vulnerabilities: missing important headers, disclosure of information in errors, incorrect security settings, etc. This approach is absolutely safe for the target application and does not create additional load.

Active scanning is a deeper and more aggressive mode. In this case, ZAP independently generates special requests to the site, trying to identify vulnerabilities that are not visible during normal page browsing. For example, the tool can test input fields for SQL injections, XSS, or other attacks. It is recommended to use active scanning only on test benches or with the permission of the resource owner, as it may lead to data changes or unstable operation of the application.

Request history in ZAP: Displays all HTTP requests and responses sent during the application scan

Spider and AJAX Spider

To automatically detect all pages and resources of a web application in ZAP, two tools are
used – Spider and AJAX Spider.

  ·  Spider is a classic crawler that crawls the site using links, forming an application map. It works well with traditional websites where most of the navigation is implemented through regular HTML links.

The Spider tab after crawling the site

  ·  AJAX Spider is designed for modern single-page applications (SPA) that actively use JavaScript. This module launches a real browser (Firefox or Chrome), emulates user actions, clicks on elements and analyzes dynamically loaded parts of the site. Thanks to AJAX Spider, ZAP can find vulnerabilities in complex interfaces that are not "visible" to classic Spider.

AJAX Spider tab for dynamic analysis of single-page applications

Alerts and reports

All information about the problems and vulnerabilities found is displayed on the Alerts tab. Here, the user sees entries grouped by category: each line is a separate problem, with a brief description, the level of risk (from "Informational" to "Critical") and recommendations for elimination.

A report generation function is provided in ZAP for further analysis or transmission of information to the development team. Through the “Report → Generate Report” menu, you can export scan results in a convenient format (HTML, PDF, XML or Markdown). The report contains a list of all discovered vulnerabilities, details on each of them and tips on how to fix them.

Generating a report on scan results

Example of a scan report generated by OWASP ZAP

Analysis of scan results

After the scan of the web application is completed, all the key information about the found vulnerabilities, suspicious configurations and potential problems appears on the Alerts tab. This section of the OWASP ZAP interface is intended for system analysis of the received data and formation of recommendations for the development team or security specialists.

How the Alerts tab works

On the Alerts tab, detected issues are displayed as a grouped list. Each line represents a different type of vulnerability or warning, for example, missing the Content Security Policy (CSP) security header, hidden file detection, incorrect configuration of cross-domain policies, and so on. Each problem has a risk level (Critical, High, Medium, Low, or Informative) that helps you quickly identify priorities for elimination.

Alerts tab in ZAP with scan results — examples of vulnerabilities with different risk levels

Reading and interpreting the results

For each detected alert, the user can disclose the details:

   · Description of the problem: what exactly is wrong and how it can be used by an attacker.

   · Affected URL or resource: the specific page or file where the vulnerability was found.

   · Recommendations: practical tips to fix the problem.

   · Technical information: sample request, server response details, and search context.

This allows you not only to quickly fix the problem, but also to provide the development team with accurate information for correction.

An example of an alert with a detailed description, recommendation, and risk level

Typical examples of vulnerabilities

In practice, the following problems are often encountered in the ZAP report:

   ·  Content Security Policy (CSP) Header Not Set: There is no CSP setting, which increases the risk of XSS attacks.

   ·  Hidden File Found: Hidden or backup files are found on the server (for example .bak, .git), which may contain confidential information.

   ·  Cross-Domain Misconfiguration: incorrect settings of CORS or other mechanisms that allow attackers to access application data from other domains.

   ·  Information Disclosure — Suspicious Comments: Comments have been found in the public code that may reveal details of the application's internal logic, passwords, or other sensitive data.

   ·  Timestamp Disclosure: The server discloses technical details such as UNIX timestamps, which can be used to carry out attacks or collect additional information about the system.

How to work with the results

1. Prioritization:

First of all, attention is paid to vulnerabilities with a high and critical level of risk.

2. Report transmission:

The generated report is exported and passed to the development team for prompt troubleshooting.

3. Re-scanning:

After making changes, a re-audit (regression) is performed to make sure that the fixed vulnerabilities have indeed disappeared and no new ones have appeared.

Limitations of automatic analysis

An important part of analyzing the results is realizing that not all vulnerabilities can be detected automatically.

  ·  False positives: not all problems found are really dangerous in this context, some alerts require manual verification.

  ·  Limitations of the scanner: automated tools may miss logical vulnerabilities or errors depending on the specifics of the business logic of the application.

Therefore, after the automatic analysis, it is always recommended to perform a manual check of the most important sections of the application.

Analyzing the scan results in OWASP ZAP is the most important stage of a security audit, allowing not only to identify technical problems, but also to systematically build the process of their correction. Using detailed alerts, automated reports, and correct data interpretation helps the development team quickly increase the security level of the web application and minimize business risks.

Conclusion

Regular web application security audits are becoming an integral part of the modern software lifecycle today. Using tools such as OWASP ZAP allows you not only to automate the identification of typical vulnerabilities, but also to create a culture of secure development in the team. Thanks to its ease of use, rich set of features, and openness, OWASP ZAP has become an indispensable assistant for security professionals, developers, DevSecOps engineers, and students learning the basics of cybersecurity.

However, do not forget that no automated tool can replace thoughtful manual analysis and expert evaluation of the business logic of the application. The results obtained during the scan must be critically evaluated, correctly interpreted and verified in the context of a specific project. The best results are achieved with a combination of automatic checks, manual testing and continuous professional development of team members.

In conclusion, it can be noted that the introduction of OWASP ZAP into the development and testing process is an effective step towards building truly secure web services. Regular use of such tools helps not only to reduce information security risks, but also to develop the right attitude among developers and testers towards data protection and application resilience in the face of modern threats. I will definitely come back to you with other analysis tools!