How ZAP Tool Helps You Fight Web Application Vulnerabilities

Published on
March 27, 2015

How well protected are your web applications? With hacking incidents and data leakage on rise, it is now more important than ever to ask yourself this question. Hence, security testing is the perfect antidote to fixing the vulnerabilities found in web applications.

ZAP (Zed Attack Proxy) is one such open source tool used for integrated penetration testing done by developers and functional testers. An easy to use and simple tool, it offers automated scanners and a set of tools which allow you to find security vulnerabilities manually.

Important features:

Quick Start

It offers you an easy way to quickly test a web application. Enter the URL of your target application and press the 'Attack' button.


Sites Tab

It shows all of the URLs visited – Select any of the nodes in the tree to display the request and response for that URL in the relevant tab.


Request Tab

It shows the data sent by your browser for the request highlighted in either the Sites or History tab.


Response Tab

It shows the data sent to the browser for the request highlighted in either the Sites or History tab.


Break Tab

It allows you to change a request or response when it has been caught by ZAP via a breakpoint. The elements which can be changed are : The header, hidden fields, disabled fields.

While the Break tab is not in use it will be in grey colour: X

When a break point is hit the tab icon is changed to a red cross: :X


History Tab:

It shows a list of all requests in the order which they were made. For every request, you can see:

The request index - Each request is numbered, starting at 1

The HTML method, e.g. GET or POST

The URL requested

The HTTP response code

A short summary of what the HTTP response code means

The length of time the whole request took.

Any Alerts on the request.

Any Notes you have added to request

Any Tags on the request


Search Tab

It allows you to search for regular expressions in all of the URLs, requests, responses, headers and fuzz results.


Break Points tab

It shows all the break points that you have set. It can be set via the History and Sites tabs as well as the 'Add a custom HTTP break point' button on the top level toolbar.


Alerts tab

It shows the Alerts that have been raised in this session.Double clicking an alert will display the ‘Add Alert dialog’ which will allow you to change the alert details.


Active Scan tab

It allows you to perform an active scan on any of the sites that have been accessed.


Spider tab

It shows you a set of unique URIs found by the Spider during the scans.The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan. A progress bar shows how far the scan of the selected site has progressed.

For each request you can see:

Processed - Whether the URI was processed by the Spider or was skipped from fetching because of a rule (e.g. it was out of scope)

Method - The HTTP method, e.g. GET or POST, through which the resource should be accessed

URI - the resource found

Flags - any information about the URI (e.g. if it's a seed or why was it not processed)


Fuzzer tab

The Fuzzer tab shows you the requests and responses performed when you fuzz a string.

Params tab

This shows a summary of the parameters a site uses. Sites can be selected via the toolbar or the Sites tab.


Http Sessions tab

This tab shows you the set of identified HTTP sessions for each Site, as detected by the HTTP Sessions extension.


Active Scan Rules

This rule checks the headers of secure pages and reports an alert if they allow a browser to cache the page.


AJAX Spider tab

The AJAX Spider tab shows you the set of unique URIs found by AJAX Spider:


WebSocket tab

The WebSockets tab displays all messages from WebSocket connections. While ZAP is active, visit e.g.: Mozilla's Browser Quest to see WebSockets in action.


Forced Browse tab

The Forced Browse tab allows you to perform a browse scan on any of the sites that have been accessed.


Setup a consultation