OWASP ZAP Cheat Sheet

Open-source web app security proxy with passive/active scanning and automation API.

Web Application SecurityautomationproxyscannerUpdated 2026-06-02

Overview

OWASP ZAP intercepts HTTP traffic like Burp, runs passive and active vulnerability scans, and supports scripting and CI automation. Use for authorized assessments, baseline scans, and pairing with manual testing.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y zaproxy

sudo snap install zaproxy --classic

docker pull ghcr.io/zaproxy/zaproxy:stable

Essential commands

GUI

zaproxy

Headless daemon

zap.sh -daemon -port 8080 -config api.disablekey=true

Quick baseline scan (Docker)

docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t https://target.example

Common workflows

Manual proxy testing —

zap.sh -daemon -port 8080

Spider + active scan (CLI) —

zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' https://target.example

zap-cli open-url https://target.example

zap-cli spider https://target.example

zap-cli active-scan https://target.example

zap-cli report -o report.html -f html

Automation framework (packaged scan) —

docker run -v $(pwd):/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py

-t https://target.example -r zap_report.html

With ZAP running on 8080

curl "http://127.0.0.1:8080/JSON/spider/action/scan/?url=https://target.example"

curl "http://127.0.0.1:8080/JSON/ascan/action/scan/?url=https://target.example"

Authenticated scan (context) —

UI: Context → include target in scope → Authentication (script or form)

Manual: record login in browser through ZAP, then spider as authenticated user

Flags: ZAP (zap.sh)

`-daemon`	Headless mode
`-port 8080`	Local proxy/API port
`-config api.disablekey=true`	Override ZAP config key=value

Flags: ZAP Docker scan scripts

`-t https://target/`	Target URL
`-r report.html`	HTML report output
`-J report.json`	JSON report output

Commands: ZAP automation

Control running ZAP instance from shell

zap-cli

Passive + limited active scan (CI-friendly)

zap-baseline.py -t URL

Full spider + active scan

zap-full-scan.py -t URL

OpenAPI-defined API scan

zap-api-scan.py -t URL -f openapi

Tips

Use context and scope so spider/scanner do not hit third-party domains.
Run passive scan while browsing manually; schedule active scan in maintenance windows when allowed.
zap-baseline.py is CI-friendly; tune rules via .zap/rules.tsv to reduce false positives.
Compare results with manual Burp testing; scanners miss logic flaws and complex auth.