Thiago Teixeira

EN | PT

OWASP ZAP

OWASP

Free web application security scanner from OWASP with active and passive scanning.

Vulnerability Management Free & Open Source Platform / Suite Learning Cross-platform

Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

OWASP ZAP (Zed Attack Proxy) is the OWASP flagship free, open-source web app scanner. It is the natural Burp alternative when there is no budget or when an automated scan needs to live in a CI/CD pipeline.

Strengths:

Automated and manual modes.
HUD (heads-up display) overlay in the browser for guided manual testing.
Add-ons marketplace for extra scan rules.
First-class CI integration (zap-baseline.py, zap-full-scan.py).

Use cases

DAST stage in a DevSecOps pipeline
Free alternative to Burp for small businesses
Training environments for OWASP Top 10 demonstration

Example

docker run --rm -t owasp/zap2docker-stable \
  zap-baseline.py -t https://target.example.com