owasp-zap

OWASP ZAP security testing proxy. Use for security testing.

7 stars

byG1Joshi

View on GitHub Installation ↓

Best use case

owasp-zap is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

OWASP ZAP security testing proxy. Use for security testing.

Teams using owasp-zap should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/owasp-zap/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/owasp-zap/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/owasp-zap/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How owasp-zap Compares

Feature / Agent	owasp-zap	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

OWASP ZAP security testing proxy. Use for security testing.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OWASP ZAP (Zed Attack Proxy)

OWASP ZAP is the world's most widely used free web app scanner. It is perfect for developers and functional testers who are new to penetration testing, as well as automated CI/CD pipelines.

## When to Use

- **CI/CD Automation**: "DAST in the pipeline". Run a baseline scan on every PR.
- **Budget constraints**: It's free and open-source (vs Burp Pro's license).
- **Headless Scanning**: Controlling the scanner via API or CLI (Docker).

## Quick Start (Docker)

```bash
# Run a quick scan against a URL
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com
```

## Core Concepts

### Active Scan (Attack)

ZAP modifies requests to attack the application (SQLi, XSS, Command Injection). Use with caution.

### Passive Scan

ZAP watches traffic (via Proxy) and reports alerts without modifying requests (e.g., missing headers, cookie flags). Safe for production.

### HUD (Heads Up Display)

Injects the ZAP UI directly into your browser, allowing you to control the scan while browsing the target site.

## Best Practices (2025)

**Do**:

- **Automate Baseline Scans**: integrate `zap-baseline.py` in GitHub Actions for quick sanity checks.
- **Authenticate**: Configure ZAP to handle login (Authentication Context) so it can scan authenticated routes.
- **Filter False Positives**: DAST tools are noisy. Create a Context file to ignore irrelevant alerts.

**Don't**:

- **Don't Attack Unauthorized Targets**: ZAP is a weapon. Ensure you have permission.
- **Don't rely solely on DAST**: Combine with SAST (SonarQube) and SCA (Snyk).

## Troubleshooting

| Error                   | Cause                | Solution                                                         |
| :---------------------- | :------------------- | :--------------------------------------------------------------- |
| `Scan takes forever`    | Spider got stuck.    | Exclude logout URLs or calendar/looping paths from the context.  |
| `Authentication Failed` | ZAP couldn't log in. | Use the ZAP Desktop UI to record a Login Sequence (Zest Script). |

## References

- [OWASP ZAP](https://www.zaproxy.org/)
- [ZAP Docker Docs](https://www.zaproxy.org/docs/docker/)