Test Tools / Security Testing / OWASP ZAP
Test Tools · Security Testing

OWASP ZAP

The world's most popular free web app security scanner. Automated and manual testing with a powerful proxy for finding vulnerabilities.

Overview

OWASP Zed Attack Proxy (ZAP) is a free, open-source web application security scanner maintained by the Open Web Application Security Project (OWASP). First released in 2010, ZAP is the most widely used security testing tool in the world. It functions as a proxy that sits between the browser and the web application, intercepting and modifying requests to identify security vulnerabilities.

ZAP supports both automated scanning (spidering a site and running a suite of vulnerability checks) and manual testing (intercepting and modifying requests on the fly). It is an essential tool for any team that takes application security seriously.

What it's used for

ZAP is essential for:

  • Automated vulnerability scanning: Spider a web app and automatically detect SQL injection, XSS, CSRF, and more.
  • Manual penetration testing: Intercept requests, modify parameters, and probe for vulnerabilities interactively.
  • CI/CD security gates: Run ZAP in headless mode as part of the deployment pipeline.
  • API security testing: Scan REST and GraphQL APIs for common vulnerabilities.
  • Developer security awareness: Free tool that every developer can run locally.

Pros & Cons

Pros

  • Free and open source — no cost barrier
  • Most popular security scanner with massive community
  • Both automated and manual testing modes
  • Extensive scripting and automation support
  • Active development with regular updates

Cons

  • Can generate false positives — requires manual review
  • Scanning can be slow on large applications
  • No enterprise support (community support only)
  • Requires security knowledge to interpret results
  • Some advanced features have a learning curve

Platforms & Integrations

ZAP runs on Windows, macOS, and Linux. It requires Java 11+. It can run as a desktop app, a command-line tool, or a Docker container.

Windows macOS Linux Java Docker REST GraphQL SOAP Jenkins GitHub Actions GitLab CI Azure DevOps Burp Suite Selenium

Pricing

TierCostIncludes
Open SourceFreeFull scanner, all features, community support

NZ Context

ZAP is the security tool most NZ software professionals should know. It is free, well-documented, and covers the OWASP Top 10 vulnerabilities. The NZ Government's NZ Information Security Manual references OWASP tools for web application security assessments. For NZ teams on a budget, ZAP provides enterprise-grade scanning at zero cost.

Alternatives

  • Burp Suite — Professional penetration testing with better manual testing workflow.
  • SonarQube — Static code analysis for finding security issues in source code.
  • Snyk — Dependency vulnerability scanning and container security.

Learn more

← Back to Tools