Cybersecurity 6 min read

OWASP ZAP Beginner Tutorial: Web Security Testing 2026

Suresh Suresh
OWASP ZAP Beginner Tutorial: Web Security Testing 2026

OWASP ZAP (Zed Attack Proxy) is one of the world’s most popular open-source web vulnerability scanners. Maintained under the software security umbrella of the Open Web Application Security Project (OWASP), it is a powerful tool designed specifically for testing web applications.

Whether you are an aspiring penetration tester, a developer looking to secure your code, or a security professional, this hands-on tutorial is designed to take you from absolute beginner to confidently scanning and analyzing web applications for security flaws.

In this guide, we will cover:

  • What OWASP ZAP is and how it works.
  • Step-by-step installation instructions for all platforms.
  • Setting up OWASP ZAP as a Man-in-the-Middle (MitM) proxy.
  • Running passive and active scans.
  • Understanding ZAP alerts and security vulnerabilities.

Before diving into ZAP, you might also want to read our Burp Suite Community Edition Guide since the two tools share similar interception proxy concepts.

What is OWASP ZAP?

At its core, OWASP ZAP is a Man-in-the-Middle (MitM) Proxy. It stands between your web browser and the target web application. By routing your browser’s traffic through ZAP, the tool can:

  1. Intercept and Log: Capture all requests and responses (HTML, CSS, JS, API calls, cookies, headers) passing through it.
  2. Modify Traffic: Allow you to pause a request mid-flight, modify its parameters (e.g., changing input values or cookie states), and forward the modified request to the server.
  3. Scan and Fuzz: Automatically analyze requests for potential vulnerability indicators (passive scanning) or inject malicious payloads (active scanning/fuzzing) to discover active flaws.

Unlike network-layer scanners like Nmap, ZAP operates at the application layer (layer 7), inspecting the logical structure of web applications.

How to Install OWASP ZAP

OWASP ZAP is cross-platform, running on Java. You can install it on Windows, macOS, Linux, or run it inside a Docker container.

🪟 Windows Installation

  1. Go to the ZAP Official Download Page.
  2. Download the Windows Installer (64-bit or 32-bit).
  3. Run the installer .exe file and follow the standard wizard steps.
  4. If prompted to install Java, ZAP installers usually bundle a Java Runtime Environment (JRE), so you do not need to install it separately.

🐧 Linux Installation

On Debian-based systems (like Ubuntu or Kali Linux), you can install ZAP directly via the package manager:

sudo apt update
sudo apt install zapproxy -y

For other Linux distributions, you can download the Linux Tarball, extract it, and run the shell script:

tar -xvf ZAP_*_Linux.tar.gz
cd ZAP_*
./zap.sh

🍎 macOS Installation

  1. Download the macOS installer (.dmg) from the official site.
  2. Double-click the file and drag OWASP ZAP to your Applications folder.

🐳 Running ZAP via Docker

For headless scanning or CI/CD pipelines, ZAP provides official Docker images:

# Pull the stable image
docker pull owasp/zap2docker-stable

# Run ZAP in webswing mode (accessible via web browser)
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh

Getting Started: Launching ZAP and Configuring the Proxy

When you launch ZAP for the first time, you will see a prompt asking if you want to persist the ZAP session.

  • For quick, temporary tests, choose “No, I do not want to persist this session at this time.”
  • For auditing actual projects, choose to persist the database so you can save your progress.

Understanding the ZAP Workspace

The interface is split into four primary panels:

  1. Tree/Contexts Panel (Left): Displays the directory structure of the scanned web applications (the Site Tree).
  2. Workspace Panel (Top Right): Shows the Quick Start tab, request/response details, or browser integration tools.
  3. Information Panel (Bottom): Houses tabs like History, Search, Alerts, and Active Scan progress.
  4. Tools Bar (Top): Provides controls to switch modes (Safe, Protected, Standard, Attack).

Step 1: Intercepting Traffic (Manual Exploration)

The best way to scan a site is to explore it manually first so ZAP can learn its map. ZAP provides two ways to do this:

Option A: Using the Built-in HUD (Heads-Up Display)

ZAP features an interactive HUD that overlays security controls directly onto your browser.

  1. In the Quick Start tab, click on Manual Explore.
  2. Enter the URL of a safe test target, such as: http://testphp.vulnweb.com/.
  3. Select your browser (e.g., Firefox or Chrome) and check the Enable HUD box.
  4. Click Launch Browser. ZAP will open a dedicated browser instance that is pre-configured to proxy traffic through ZAP and trust ZAP’s certificate.

Option B: Configuring Your Main Browser Manually

If you prefer using your own browser profile:

  1. Go to ZAP’s settings: Tools -> Options -> Local Proxies.
  2. Note the address and port (default is localhost and 8080).
  3. Set your browser’s proxy settings to route HTTP/HTTPS traffic through 127.0.0.1:8080.
  4. To intercept HTTPS sites without security warnings, you must export ZAP’s Root CA Certificate via Options -> Dynamic SSL Certificates -> Save, and import it into your browser’s trusted authorities list.

Step 2: Running a Passive Scan

As you browse the web application manually, ZAP performs a Passive Scan in the background.

  • What it does: It inspects the responses sent by the server without modifying requests or injecting payloads. It flags basic issues like missing security headers (e.g., X-Frame-Options, Content-Security-Policy), cookie issues (missing Secure or HttpOnly flags), and information disclosure (server banner leakage).
  • Impact: 100% safe. It does not generate noise or trigger IDS/firewall blocklists because it behaves exactly like normal user browsing.

For an initial server-level scan, you can also use tools like Nikto Web Vulnerability Scanner to complement ZAP’s findings.

Step 3: Running an Active Scan

Once ZAP has mapped the target web app, you can launch an Active Scan to look for deeper code-level vulnerabilities.

⚠️ WARNING: Active scanning sends hundreds of malicious payloads to probe for flaws. Only run this against web applications you own or have explicit written authorization to test.

  1. Go to the Sites tree on the left panel.
  2. Right-click the folder representing your target site (e.g., http://testphp.vulnweb.com).
  3. Select Attack -> Active Scan.
  4. In the configuration window, you can tweak settings or click Start Scan directly.
  5. Watch the progress in the Active Scan tab at the bottom. ZAP will inject payloads checking for:
    • SQL Injection (SQLi)
    • Cross-Site Scripting (XSS)
    • Path Traversal / Local File Inclusion (LFI)
    • Remote Code Execution (RCE)

Step 4: Reviewing and Triage of Alerts

After the scan completes, navigate to the Alerts tab at the bottom of the screen. ZAP categorizes vulnerabilities by severity using flags:

  • 🚩 Red Flag (High): Critical flaws requiring immediate patch (e.g., SQL injection, Remote Code Execution).
  • 🟡 Yellow Flag (Medium): High-risk flaws (e.g., Stored XSS, vulnerable libraries, missing authorization checks).
  • 🔵 Blue Flag (Low): Minor issues or configuration tweaks (e.g., missing anti-CSRF tokens, SSL configurations).
  • Grey Flag (Informational): Basic configuration observations.

Double-clicking any alert in ZAP displays:

  • The exact HTTP Request and Response containing the vulnerability.
  • The specific parameter that was fuzzed.
  • A description of the vulnerability and recommended remediation steps.

Three Essential Tips for Using ZAP Safely

  1. Keep it in Scope: Use ZAP’s “Contexts” feature to define exactly which URLs are in scope. This prevents ZAP from accidentally scanning external links (like Google Analytics or social media widgets) linked on your page.
  2. Start Safe: Start in Safe Mode or Protected Mode using the dropdown in the top-left toolbar. This disables dangerous active scanning actions until you are ready.
  3. Use the Right Tools for the Right Job: For fast-paced directory brute-forcing, use Gobuster. Use ZAP when you need deep, contextual state-aware application scanning.

Conclusion

OWASP ZAP is an indispensable, free, and open-source tool for anyone interested in web application security. By learning how to set up the MitM proxy, explore sites manually, run active scans, and analyze alerts, you have taken a major step in securing web infrastructure.

For your next challenge, try capturing the requests in ZAP and feeding specific endpoints into fuzzers to explore how different application frameworks handle bad input!

Suresh S

Written by Suresh S

Founder of FreeTechLearner, a technology blog dedicated to Linux, Open Source, Cybersecurity, Cloud Computing, Self-Hosting, and AI. I create practical tutorials and learning resources that help students, beginners, and tech enthusiasts build real-world skills and stay updated with modern technology.

#owasp-zap#web-security#vulnerability-scanner#penetration-testing#tutorials

Discussion

Loading comments...