Skills DirectorySkills Directory
Back to skills

Dast Zap

Dynamic application security testing (DAST) using OWASP ZAP (Zed Attack Proxy) with passive and active scanning, API testing, and OWASP Top 10 vulnerability detection. Use when: (1) Performing runtime security testing of web applications and APIs, (2) Detecting vulnerabilities like XSS, SQL injection, and authentication flaws in deployed applications, (3) Automating security scans in CI/CD pipelines with Docker containers, (4) Conducting authenticated testing with session management, (5) Gene...

14 stars
0 votes
0 copies
0 views
Added 12/19/2025
testing-securityjavascriptpythongojavabashsqldockerawsazuretesting

Works with

api

Install via CLI

$openskills install AgentSecOps/SecOpsAgentKit
Download Zip
Files
SKILL.md
---
name: dast-zap
description: >
  Dynamic application security testing (DAST) using OWASP ZAP (Zed Attack Proxy) with passive and active scanning,
  API testing, and OWASP Top 10 vulnerability detection. Use when: (1) Performing runtime security testing of web
  applications and APIs, (2) Detecting vulnerabilities like XSS, SQL injection, and authentication flaws in deployed
  applications, (3) Automating security scans in CI/CD pipelines with Docker containers, (4) Conducting authenticated
  testing with session management, (5) Generating security reports with OWASP and CWE mappings for compliance.
version: 0.1.0
maintainer: SirAppSec
category: appsec
tags: [dast, zap, web-security, owasp, vulnerability-scanning, api-testing, penetration-testing]
frameworks: [OWASP, CWE]
dependencies:
  tools: [docker]
  optional: [python3, java]
references:
  - https://www.zaproxy.org/docs/
  - https://www.zaproxy.org/docs/docker/
  - https://www.zaproxy.org/docs/desktop/start/features/
---

# DAST with OWASP ZAP

## Overview

OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool that acts as a manipulator-in-the-middle proxy to intercept,
inspect, and test web application traffic for security vulnerabilities. ZAP provides automated passive and active
scanning, API testing capabilities, and seamless CI/CD integration for runtime security testing.

## Quick Start

### Baseline Scan (Docker)

Run a quick passive security scan:

```bash
docker run -t zaproxy/zap-stable zap-baseline.py -t https://target-app.com -r baseline-report.html
```

### Full Active Scan (Docker)

Perform comprehensive active vulnerability testing:

```bash
docker run -t zaproxy/zap-stable zap-full-scan.py -t https://target-app.com -r full-scan-report.html
```

### API Scan with OpenAPI Spec

Test APIs using OpenAPI/Swagger specification:

```bash
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com \
  -f openapi \
  -d /zap/wrk/openapi-spec.yaml \
  -r /zap/wrk/api-report.html
```

## Core Workflow

### Step 1: Define Scan Scope and Target

Identify the target application URL and define scope:

```bash
# Set target URL
TARGET_URL="https://target-app.com"

# For authenticated scans, prepare authentication context
# See references/authentication_guide.md for detailed setup
```

**Scope Considerations:**
- Exclude third-party domains and CDN URLs
- Include all application subdomains and API endpoints
- Respect scope limitations in penetration testing engagements

### Step 2: Run Passive Scanning

Execute passive scanning to analyze traffic without active attacks:

```bash
# Baseline scan performs spidering + passive scanning
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t $TARGET_URL \
  -r baseline-report.html \
  -J baseline-report.json
```

**What Passive Scanning Detects:**
- Missing security headers (CSP, HSTS, X-Frame-Options)
- Information disclosure in responses
- Cookie security issues (HttpOnly, Secure flags)
- Basic authentication weaknesses
- Application fingerprinting data

### Step 3: Execute Active Scanning

Perform active vulnerability testing (requires authorization):

```bash
# Full scan includes spidering + passive + active scanning
docker run -t zaproxy/zap-stable zap-full-scan.py \
  -t $TARGET_URL \
  -r full-scan-report.html \
  -J full-scan-report.json \
  -z "-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true"
```

**Active Scanning Coverage:**
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Path Traversal
- Command Injection
- XML External Entity (XXE)
- Server-Side Request Forgery (SSRF)
- Security Misconfigurations

**WARNING:** Active scanning performs real attacks. Only run against applications you have explicit authorization to test.

### Step 4: Test APIs with Specifications

Scan REST, GraphQL, and SOAP APIs:

```bash
# OpenAPI/Swagger API scan
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com \
  -f openapi \
  -d /zap/wrk/openapi.yaml \
  -r /zap/wrk/api-report.html

# GraphQL API scan
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com/graphql \
  -f graphql \
  -d /zap/wrk/schema.graphql \
  -r /zap/wrk/graphql-report.html
```

Consult `references/api_testing_guide.md` for advanced API testing patterns including authentication and rate limiting.

### Step 5: Handle Authentication

For testing authenticated application areas:

```bash
# Use bundled script for authentication setup
python3 scripts/zap_auth_scanner.py \
  --target $TARGET_URL \
  --auth-type form \
  --login-url https://target-app.com/login \
  --username testuser \
  --password-env ZAP_AUTH_PASSWORD \
  --output auth-scan-report.html
```

Authentication methods supported:
- Form-based authentication
- HTTP Basic/Digest authentication
- OAuth 2.0 flows
- API key/token authentication
- Script-based custom authentication

See `references/authentication_guide.md` for detailed authentication configuration.

### Step 6: Analyze Results and Generate Reports

Review findings by risk level:

```bash
# Generate multiple report formats
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-full-scan.py \
  -t $TARGET_URL \
  -r /zap/wrk/report.html \
  -J /zap/wrk/report.json \
  -x /zap/wrk/report.xml
```

**Risk Levels:**
- **High**: Critical vulnerabilities requiring immediate remediation (SQLi, RCE, authentication bypass)
- **Medium**: Significant security weaknesses (XSS, CSRF, sensitive data exposure)
- **Low**: Security concerns with lower exploitability (information disclosure, minor misconfigurations)
- **Informational**: Security best practices and observations

Map findings to OWASP Top 10 using `references/owasp_mapping.md`.

## Automation & CI/CD Integration

### GitHub Actions Integration

Add ZAP scanning to GitHub workflows:

```yaml
# .github/workflows/zap-scan.yml
name: ZAP Security Scan
on: [push, pull_request]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: OWASP ZAP Baseline Scan
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          target: 'https://staging.target-app.com'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
```

### Docker Automation Framework

Use YAML-based automation for advanced workflows:

```bash
# Create automation config (see assets/zap_automation.yaml)
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable \
  zap.sh -cmd -autorun /zap/wrk/zap_automation.yaml
```

The bundled `assets/zap_automation.yaml` template includes:
- Environment configuration
- Spider and AJAX spider settings
- Passive and active scan policies
- Authentication configuration
- Report generation

### CI/CD Best Practices

- Use **baseline scans** for every commit/PR (low false positives)
- Run **full scans** on staging environments before production deployment
- Configure **API scans** for microservices and REST endpoints
- Set **failure thresholds** to break builds on high-severity findings
- Generate **SARIF reports** for GitHub Security tab integration

See `scripts/ci_integration.sh` for complete CI/CD integration examples.

## Security Considerations

- **Authorization**: Always obtain written authorization before scanning production systems or third-party applications
- **Rate Limiting**: Configure scan speed to avoid overwhelming target applications or triggering DDoS protections
- **Sensitive Data**: Never include production credentials in scan configurations; use environment variables or secrets management
- **Scan Timing**: Run active scans during maintenance windows or against dedicated testing environments
- **Legal Compliance**: Adhere to computer fraud and abuse laws; unauthorized scanning may be illegal
- **Audit Logging**: Log all scan executions, targets, findings, and remediation actions for compliance audits
- **Data Retention**: Sanitize scan reports before sharing; they may contain sensitive application data
- **False Positives**: Manually verify findings before raising security incidents; DAST tools generate false positives

## Bundled Resources

### Scripts (`scripts/`)

- `zap_baseline_scan.sh` - Automated baseline scanning with configurable targets and reporting
- `zap_full_scan.sh` - Comprehensive active scanning with exclusion rules
- `zap_api_scan.py` - API testing with OpenAPI/GraphQL specification support
- `zap_auth_scanner.py` - Authenticated scanning with multiple authentication methods
- `ci_integration.sh` - CI/CD integration examples for Jenkins, GitLab CI, GitHub Actions

### References (`references/`)

- `authentication_guide.md` - Complete authentication configuration for form-based, OAuth, and token authentication
- `owasp_mapping.md` - Mapping of ZAP alerts to OWASP Top 10 2021 and CWE classifications
- `api_testing_guide.md` - Advanced API testing patterns for REST, GraphQL, SOAP, and WebSocket
- `scan_policies.md` - Custom scan policy configuration for different application types
- `false_positive_handling.md` - Common false positives and verification techniques

### Assets (`assets/`)

- `zap_automation.yaml` - Automation framework configuration template
- `zap_context.xml` - Context configuration with authentication and session management
- `scan_policy_modern_web.policy` - Scan policy optimized for modern JavaScript applications
- `scan_policy_api.policy` - Scan policy for REST and GraphQL APIs
- `github_action.yml` - GitHub Actions workflow template
- `gitlab_ci.yml` - GitLab CI pipeline template

## Common Patterns

### Pattern 1: Progressive Scanning (Speed vs. Coverage)

Start with fast scans and progressively increase depth:

```bash
# Stage 1: Quick baseline scan (5-10 minutes)
docker run -t zaproxy/zap-stable zap-baseline.py -t $TARGET_URL -r baseline.html

# Stage 2: Full spider + passive scan (15-30 minutes)
docker run -t zaproxy/zap-stable zap-baseline.py -t $TARGET_URL -r baseline.html -c baseline-rules.tsv

# Stage 3: Targeted active scan on critical endpoints (1-2 hours)
docker run -t zaproxy/zap-stable zap-full-scan.py -t $TARGET_URL -r full.html -c full-rules.tsv
```

### Pattern 2: API-First Testing

Prioritize API security testing:

```bash
# 1. Test API endpoints with specification
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.target.com -f openapi -d /zap/wrk/openapi.yaml -r /zap/wrk/api.html

# 2. Run active scan on discovered API endpoints
# (ZAP automatically includes spidered API routes)

# 3. Test authentication flows
python3 scripts/zap_auth_scanner.py --target https://api.target.com --auth-type bearer --token-env API_TOKEN
```

### Pattern 3: Authenticated Web Application Testing

Test complete application including protected areas:

```bash
# 1. Configure authentication context
# See assets/zap_context.xml for template

# 2. Run authenticated scan
python3 scripts/zap_auth_scanner.py \
  --target https://app.target.com \
  --auth-type form \
  --login-url https://app.target.com/login \
  --username testuser \
  --password-env APP_PASSWORD \
  --verification-url https://app.target.com/dashboard \
  --output authenticated-scan.html

# 3. Review session-specific vulnerabilities (CSRF, privilege escalation)
```

### Pattern 4: CI/CD Security Gate

Implement ZAP as a security gate in deployment pipelines:

```bash
# Run baseline scan and fail build on high-risk findings
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://staging.target.com \
  -r baseline-report.html \
  -J baseline-report.json \
  --hook=scripts/ci_integration.sh

# Check exit code
if [ $? -ne 0 ]; then
  echo "Security scan failed! High-risk vulnerabilities detected."
  exit 1
fi
```

## Integration Points

- **CI/CD**: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI
- **Issue Tracking**: Jira, GitHub Issues (via SARIF), ServiceNow
- **Security Tools**: Defect Dojo (vulnerability management), SonarQube, OWASP Dependency-Check
- **SDLC**: Pre-production testing phase, security regression testing, penetration testing preparation
- **Authentication**: Integrates with OAuth providers, SAML, API gateways, custom authentication scripts
- **Reporting**: HTML, JSON, XML, Markdown, SARIF (for GitHub Security), PDF (via custom scripts)

## Troubleshooting

### Issue: Docker Container Cannot Reach Target Application

**Solution**: For scanning applications running on localhost or in other containers:

```bash
# Scanning host application from Docker container
# Use docker0 bridge IP instead of localhost
HOST_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+')
docker run -t zaproxy/zap-stable zap-baseline.py -t http://$HOST_IP:8080

# Scanning between containers - create shared network
docker network create zap-network
docker run --network zap-network -t zaproxy/zap-stable zap-baseline.py -t http://app-container:8080
```

### Issue: Scan Completes Too Quickly (Incomplete Coverage)

**Solution**: Increase spider depth and scan duration:

```bash
# Configure spider to crawl deeper
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t $TARGET_URL \
  -r report.html \
  -z "-config spider.maxDepth=10 -config spider.maxDuration=60"
```

For JavaScript-heavy applications, use AJAX spider or Automation Framework.

### Issue: High False Positive Rate

**Solution**: Create custom scan policy and rules file:

```bash
# Use bundled false positive handling guide
# See references/false_positive_handling.md

# Generate rules file to suppress false positives
# Format: alert_id  URL_pattern  parameter  CWE_id  WARN|IGNORE|FAIL
echo "10202  https://target.com/static/.*  .*  798  IGNORE" >> .zap/rules.tsv

docker run -t zaproxy/zap-stable zap-baseline.py -t $TARGET_URL -c .zap/rules.tsv
```

### Issue: Authentication Session Expires During Scan

**Solution**: Configure session re-authentication:

```bash
# Use bundled authentication script with session monitoring
python3 scripts/zap_auth_scanner.py \
  --target $TARGET_URL \
  --auth-type form \
  --login-url https://target.com/login \
  --username testuser \
  --password-env PASSWORD \
  --re-authenticate-on 401,403 \
  --verification-interval 300
```

### Issue: Scan Triggering Rate Limiting or WAF Blocking

**Solution**: Reduce scan aggressiveness:

```bash
# Slower scan with delays between requests
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t $TARGET_URL \
  -r report.html \
  -z "-config scanner.threadPerHost=1 -config scanner.delayInMs=1000"
```

## References

- [OWASP ZAP Documentation](https://www.zaproxy.org/docs/)
- [ZAP Docker Documentation](https://www.zaproxy.org/docs/docker/)
- [OWASP Top 10 2021](https://owasp.org/Top10/)
- [ZAP Automation Framework](https://www.zaproxy.org/docs/automate/automation-framework/)
- [GitHub Actions for ZAP](https://github.com/zaproxy/action-baseline)

Attribution

AgentSecOpsAgentSecOps
View source

Comments (0)

No comments yet. Be the first to comment!