DAST with OWASP ZAP

Overview

OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool that acts as a manipulator-in-the-middle proxy to intercept, inspect, and test web application traffic for security vulnerabilities. ZAP provides automated passive and active scanning, API testing capabilities, and seamless CI/CD integration for runtime security testing.

Quick Start

Baseline Scan (Docker)

Run a quick passive security scan:

docker run -t zaproxy/zap-stable zap-baseline.py -t https://target-app.com -r baseline-report.html

Full Active Scan (Docker)

Perform comprehensive active vulnerability testing:

docker run -t zaproxy/zap-stable zap-full-scan.py -t https://target-app.com -r full-scan-report.html

API Scan with OpenAPI Spec

Test APIs using OpenAPI/Swagger specification:

docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com \
  -f openapi \
  -d /zap/wrk/openapi-spec.yaml \
  -r /zap/wrk/api-report.html

Core Workflow

Step 1: Define Scan Scope and Target

Identify the target application URL and define scope:

# Set target URL
TARGET_URL="https://target-app.com"

# For authenticated scans, prepare authentication context
# See references/authentication_guide.md for detailed setup

Scope Considerations:

• Exclude third-party domains and CDN URLs
• Include all application subdomains and API endpoints
• Respect scope limitations in penetration testing engagements

Step 2: Run Passive Scanning

Execute passive scanning to analyze traffic without active attacks:

# Baseline scan performs spidering + passive scanning
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t $TARGET_URL \
  -r baseline-report.html \
  -J baseline-report.json

What Passive Scanning Detects:

• Missing security headers (CSP, HSTS, X-Frame-Options)
• Information disclosure in responses
• Cookie security issues (HttpOnly, Secure flags)
• Basic authentication weaknesses
• Application fingerprinting data

Step 3: Execute Active Scanning

Perform active vulnerability testing (requires authorization):

# Full scan includes spidering + passive + active scanning
docker run -t zaproxy/zap-stable zap-full-scan.py \
  -t $TARGET_URL \
  -r full-scan-report.html \
  -J full-scan-report.json \
  -z "-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true"

Active Scanning Coverage:

• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Path Traversal
• Command Injection
• XML External Entity (XXE)
• Server-Side Request Forgery (SSRF)
• Security Misconfigurations

WARNING: Active scanning performs real attacks. Only run against applications you have explicit authorization to test.

Step 4: Test APIs with Specifications

Scan REST, GraphQL, and SOAP APIs:

# OpenAPI/Swagger API scan
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com \
  -f openapi \
  -d /zap/wrk/openapi.yaml \
  -r /zap/wrk/api-report.html

# GraphQL API scan
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com/graphql \
  -f graphql \
  -d /zap/wrk/schema.graphql \
  -r /zap/wrk/graphql-report.html

Consult references/api_testing_guide.md for advanced API testing patterns including authentication and rate limiting.

Step 5: Handle Authentication

For testing authenticated application areas:

# Use bundled script for authentication setup
python3 scripts/zap_auth_scanner.py \
  --target $TARGET_URL \
  --auth-type form \
  --login-url https://target-app.com/login \
  --username testuser \
  --password-env ZAP_AUTH_PASSWORD \
  --output auth-scan-report.html

Authentication methods supported:

• Form-based authentication
• HTTP Basic/Digest authentication
• OAuth 2.0 flows
• API key/token authentication
• Script-based custom authentication

See references/authentication_guide.md for detailed authentication configuration.

Step 6: Analyze Results and Generate Reports

Review findings by risk level:

# Generate multiple report formats
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-full-scan.py \
  -t $TARGET_URL \
  -r /zap/wrk/report.html \
  -J /zap/wrk/report.json \
  -x /zap/wrk/report.xml

Risk Levels:

• High: Critical vulnerabilities requiring immediate remediation (SQLi, RCE, authentication bypass)
• Medium: Significant security weaknesses (XSS, CSRF, sensitive data exposure)
• Low: Security concerns with lower exploitability (information disclosure, minor misconfigurations)
• Informational: Security best practices and observations

Map findings to OWASP Top 10 using references/owasp_mapping.md.

Automation & CI/CD Integration

GitHub Actions Integration

Add ZAP scanning to GitHub workflows:

# .github/workflows/zap-scan.yml
name: ZAP Security Scan
on: [push, pull_request]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: OWASP ZAP Baseline Scan
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          target: 'https://staging.target-app.com'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Docker Automation Framework

Use YAML-based automation for advanced workflows:

# Create automation config (see assets/zap_automation.yaml)
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable \
  zap.sh -cmd -autorun /zap/wrk/zap_automation.yaml

The bundled assets/zap_automation.yaml template includes:

• Environment configuration
• Spider and AJAX spider settings
• Passive and active scan policies
• Authentication configuration
• Report generation

CI/CD Best Practices

• Use baseline scans for every commit/PR (low false positives)
• Run full scans on staging environments before production deployment
• Configure API scans for microservices and REST endpoints
• Set failure thresholds to break builds on high-severity findings
• Generate SARIF reports for GitHub Security tab integration

See scripts/ci_integration.sh for complete CI/CD integration examples.

Security Considerations

• Authorization: Always obtain written authorization before scanning production systems or third-party applications
• Rate Limiting: Configure scan speed to avoid overwhelming target applications or triggering DDoS protections
• Sensitive Data: Never include production credentials in scan configurations; use environment variables or secrets management
• Scan Timing: Run active scans during maintenance windows or against dedicated testing environments
• Legal Compliance: Adhere to computer fraud and abuse laws; unauthorized scanning may be illegal
• Audit Logging: Log all scan executions, targets, findings, and remediation actions for compliance audits
• Data Retention: Sanitize scan reports before sharing; they may contain sensitive application data
• False Positives: Manually verify findings before raising security incidents; DAST tools generate false positives

Bundled Resources

Scripts (scripts/)

• zap_baseline_scan.sh - Automated baseline scanning with configurable targets and reporting
• zap_full_scan.sh - Comprehensive active scanning with exclusion rules
• zap_api_scan.py - API testing with OpenAPI/GraphQL specification support
• zap_auth_scanner.py - Authenticated scanning with multiple authentication methods
• ci_integration.sh - CI/CD integration examples for Jenkins, GitLab CI, GitHub Actions

References (references/)

• authentication_guide.md - Complete authentication configuration for form-based, OAuth, and token authentication
• owasp_mapping.md - Mapping of ZAP alerts to OWASP Top 10 2021 and CWE classifications
• api_testing_guide.md - Advanced API testing patterns for REST, GraphQL, SOAP, and WebSocke