Web Application Analysiswebvulnerabilitiespenetrationtestingowaspproxy

OWASP Zed Attack Proxy (ZAP)

The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed for users with varying levels of security experience, from developers and functional testers new to pentesting to experienced pentesters.

Description

ZAP is a testing tool specifically for identifying vulnerabilities in web applications. It serves as an accessible entry point for those new to penetration testing while also enhancing the toolkit of seasoned professionals. The tool's design accommodates a wide range of security expertise, making it ideal for developers, functional testers, and pen testers alike.

Use cases include vulnerability scanning during web application development and testing phases. It supports both interactive and automated modes, allowing quick reconnaissance scans or full proxy-based analysis. ZAP integrates well into CI/CD pipelines or standalone pentesting workflows.

The package provides essential components like the default-jre and owasp-zap dependencies, ensuring a complete setup on Kali Linux.

How It Works

ZAP operates as a proxy intercepting web traffic to analyze requests and responses for vulnerabilities. It supports daemon mode for headless operation, command-line scanning with options like quickurl for automated attacks, and HUD-enabled browser proxying. Core functionality includes inline command execution, configuration overrides via key-value pairs or files, and add-on extensions for specialized scans like GraphQL schema imports. It leverages Java (detects version and memory) with customizable JVM args for performance.

Installation

bash

sudo apt install zaproxy

Flags

-versionReports the ZAP version

-cmdRun inline (exits when command line options complete)

-daemonStarts ZAP in daemon mode, i.e. without a UI

-config <kvpair>Overrides the specified key=value pair in the configuration file

-configfile <path>Overrides the key=value pairs with those in the specified properties file

-dir <dir>Uses the specified directory instead of the default one

-installdir <dir>Overrides the code that detects where ZAP has been installed with the specified directory

-hShows all of the command line options available, including those added by add-ons

-hudLaunches a browser configured to proxy through ZAP with the HUD enabled, for use in daemon mode

-hudurl <url>Launches a browser as per the -hud option with the specified URL

-hudbrowser <browser>Launches a browser as per the -hud option with the specified browser, supported options: Chrome, Firefox by default Firefox

-quickurl <target url>The URL to attack, e.g. http://www.example.com

-quickout <filename>The file to write the HTML/JSON/MD/XML results to (based on the file extension)

-quickprogressDisplay progress bars while scanning

-zapit <target url>The URL to perform a quick 'reconnaissance' scan on, e.g. http://www.example.com The -cmd option must be specified

-graphqlfile <path>Imports a GraphQL Schema from a File

Examples

Shows help output including Java version, memory, and JVM args

owasp-zap -h

Displays usage information and all available command line options

zaproxy -h

Reports the ZAP version

zaproxy -version

Runs inline quick attack on the target URL

zaproxy -cmd -quickurl http://www.example.com

Performs quick reconnaissance scan on the target URL in inline mode

zaproxy -cmd -zapit http://www.example.com

Starts ZAP in daemon mode without UI

zaproxy -daemon

Launches browser proxying through ZAP with HUD enabled

zaproxy -hud

Launches browser with HUD proxying to specified URL

zaproxy -hudurl http://www.example.com

Updated 2026-04-16kali.org ↗