OWASP ZAP cheat sheet for vulnerability assessment and penetration testing

This OWASP ZAP cheat sheet provides comprehensive commands for web application security testing, from quick automated scans to advanced manual testing techniques used in professional penetration testing and vulnerability assessment workflows.

Installation & Setup

Installing ZAP across different platforms and initial configuration for security testing.

bash

# Install on Kali Linux
sudo apt update && sudo apt install zaproxy

# Install on Ubuntu/Debian
sudo apt install zaproxy

# Install via Docker (recommended for PT)
docker pull owasp/zap2docker-stable
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080

# Install on macOS
brew install --cask owasp-zap

# Install on Windows
# Download from: https://www.zaproxy.org/download/

# Command line verification
zap.sh -version
zap.bat -version  # Windows

# Update add-ons
zap.sh -addonupdate

Quick Start & Basic Scanning

Rapid setup and initial automated scanning of web applications.

bash

# Quick start with automated scan
zap.sh -cmd -quickurl http://target.com -quickout /tmp/report.html

# Baseline scan (passive only)
zap.sh -cmd -quickurl http://target.com -quickprogress -config scanner.disableAttackMode=true

# Full automated scan (active + passive)
zap.sh -cmd -quickurl http://target.com -quickout /tmp/full_scan.html -config api.disablekey=true

# Docker quick scan
docker run -i owasp/zap2docker-stable zap-baseline.py -t http://target.com

# Spider only
zap.sh -cmd -quickurl http://target.com -spider

# Generate reports in different formats
zap.sh -cmd -quickurl http://target.com -quickout /tmp/report.json -format json

Reconnaissance & Spidering Phase

Discovering application structure, endpoints, and hidden content.

bash

# Start ZAP in daemon mode for API access
zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true

# Traditional spider via API
curl "http://localhost:8080/JSON/spider/action/scan/?url=http://target.com&maxChildren=10"

# AJAX spider for modern web apps
curl "http://localhost:8080/JSON/ajaxSpider/action/scan/?url=http://target.com"

# Import sitemap/URLs from file
curl -F "file=@urls.txt" "http://localhost:8080/JSON/importurls/action/importurls/"

# Force directory browsing
curl "http://localhost:8080/JSON/directoryBrowsing/action/setEnabled/?boolean=true"

# Configure spider parameters
curl "http://localhost:8080/JSON/spider/action/setOptionMaxDepth/?Integer=5"
curl "http://localhost:8080/JSON/spider/action/setOptionMaxDuration/?Integer=10"

Automated Vulnerability Scanning

Running comprehensive automated tests for common web vulnerabilities.

bash

# Active scan via API
curl "http://localhost:8080/JSON/ascan/action/scan/?url=http://target.com&recurse=true&inScopeOnly=true"

# Scan specific policy
curl "http://localhost:8080/JSON/ascan/action/scan/?url=http://target.com&scanPolicyName=Default%20Policy"

# Stop all active scans
curl "http://localhost:8080/JSON/ascan/action/stopAllScans/"

# Get scan progress
curl "http://localhost:8080/JSON/ascan/view/status/?scanId=0"

# Configure scan strength and threshold
curl "http://localhost:8080/JSON/ascan/action/setOptionAttackStrength/?Integer=3"  # 0=Low, 1=Medium, 2=High, 3=Insane
curl "http://localhost:8080/JSON/ascan/action/setOptionAlertThreshold/?Integer=2"  # 0=Off, 1=Low, 2=Medium, 3=High

# Enable specific scanners
curl "http://localhost:8080/JSON/pscan/action/enableAllScanners/"

Manual Testing Assistance

Using ZAP as an intercepting proxy for manual penetration testing.

bash

# Configure ZAP as system proxy
export http_proxy=http://localhost:8080
export https_proxy=http://localhost:8080

# Browser configuration for manual testing
# Firefox/Chrome: Configure proxy as localhost:8080

# Break on all requests
curl "http://localhost:8080/JSON/break/action/break/?type=http-all&state=true"

# Add request/response breakpoints
curl "http://localhost:8080/JSON/break/action/break/?string=admin&type=http-response&state=true"

# Send request from command line through ZAP
curl -x http://localhost:8080 http://target.com/login

# Fuzzing with built-in payloads
curl "http://localhost:8080/JSON/fuzz/action/startFuzzer/?url=http://target.com/search&param=query"

Authentication & Session Management Testing

Testing authentication mechanisms, session handling, and access controls.

bash

# Configure form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication"

# Set login credentials
curl "http://localhost:8080/JSON/authentication/action/setCredentials/?contextId=1&authCredentials=username%3Dadmin%26password%3Dpassword"

# Configure session management
curl "http://localhost:8080/JSON/sessionManagement/action/setSessionManagementMethod/?contextId=1&methodName=cookieBasedSessionManagement"

# Test for session fixation
curl "http://localhost:8080/JSON/ascan/action/enableScanners/?ids=40014,40015"  # Session Fixation scanners

# Test for broken authentication
curl "http://localhost:8080/JSON/ascan/action/enableScanners/?ids=40003,40005,40006"  # Auth-related scanners

# Configure forced browsing for access control testing
curl "http://localhost:8080/JSON/forcedBrowse/action/startForcedBrowse/?contextId=1"

Advanced Scanning Techniques

Custom scanning configurations and advanced testing scenarios.

bash

# Custom scan policy creation
curl "http://localhost:8080/JSON/ascan/action/importScanPolicy/?path=/tmp/custom.policy"

# Enable only high-risk vulnerability scanners
curl "http://localhost:8080/JSON/ascan/action/enableScanners/?ids=0-10000"  # Enable all, then...
curl "http://localhost:8080/JSON/ascan/action/disableScanners/?ids=30001,30002"  # Disable specific ones

# Script-based scanning
curl "http://localhost:8080/JSON/script/action/load/?scriptName=Custom%20Scanner&scriptType=active&scriptEngine=JavaScript&fileName=/tmp/custom.js"

# API scanning with OpenAPI/Swagger
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=http://target.com/swagger.json"

# GraphQL endpoint testing
curl "http://localhost:8080/JSON/graphql/action/importUrl/?url=http://target.com/graphql"

# Websocket testing
curl "http://localhost:8080/JSON/websocket/action/enableAllChannelFilters/"

API & Headless Scanning

Automated scanning workflows for CI/CD and API security testing.

bash

# Full pipeline scan script
zap.sh -cmd -quickurl http://target.com -quickout report.html -config api.disablekey=true

# Docker-based API scan
docker run -i owasp/zap2docker-stable zap-api-scan.py -t http://target.com/api/swagger.json -f openapi

# Full scan with custom context
docker run -i owasp/zap2docker-stable zap-full-scan.py -t http://target.com -a -j -m 5

# Baseline scan in CI
docker run -i owasp/zap2docker-stable zap-baseline.py -t http://target.com -I -j -m 5

# Generate machine-readable reports
zap.sh -cmd -quickurl http://target.com -quickout /tmp/report.json -format json
zap.sh -cmd -quickurl http://target.com -quickout /tmp/report.xml -format xml

# Custom scan with specific rules
zap.sh -cmd -quickurl http://target.com -config scanner.attackStrength=HIGH -config scanner.alertThreshold=MEDIUM

Reporting & Analysis

Generating comprehensive reports and analyzing results.

bash

# Generate HTML report
curl "http://localhost:8080/JSON/reports/action/generate/?title=Security%20Report&template=traditional-html&theme=dark&description=Full%20scan%20report&contexts=1&sites=http://target.com&reportfilename=/tmp/report.html&reportdir=/tmp"

# Generate JSON report
curl "http://localhost:8080/JSON/core/action/saveSession/?name=/tmp/session.session"
curl "http://localhost:8080/JSON/core/action/htmlreport/?apikey=" > report.html

# Export alerts
curl "http://localhost:8080/JSON/core/action/alerts/?baseurl=http://target.com" > alerts.json

# Generate risk summary
curl "http://localhost:8080/JSON/core/action/alertsSummary/"

# Export URLs discovered
curl "http://localhost:8080/JSON/core/action/urls/" > urls.json

# Compare with previous scans
curl "http://localhost:8080/JSON/compare/action/compare/?session1=/tmp/scan1.session&session2=/tmp/scan2.session"

Integration with PT Workflow

Integrating ZAP into penetration testing methodologies and tools.

bash

# Start ZAP for Burp Suite comparison
zap.sh -daemon -port 8080 -config api.disablekey=true

# Import from other tools
curl -F "file=@burp_export.xml" "http://localhost:8080/JSON/import/action/importBurpSession/"

# Export to other tools
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > zap_report.html

# Integration with Metasploit
# Use ZAP findings to guide Metasploit web module selection

# CI/CD pipeline integration
zap.sh -cmd -quickurl ${TARGET_URL} -quickout ${WORKSPACE}/zap_report.html -config api.disablekey=true

# Custom script integration
curl "http://localhost:8080/JSON/script/action/runStandaloneScript/?scriptName=Custom%20Test"

Quick Reference - Common Scanners

bash

# Critical vulnerability scanners
SQL Injection: 40018, 40019
XSS: 40012, 40013, 40014
CSRF: 40008
XXE: 90023
SSRF: 40046

# Authentication testing
Broken Auth: 40003
Session Issues: 40014, 40015

# Information disclosure
Directory Browsing: 40033
Information Leakage: 40037

# Command line quick scans
zap-baseline.py -t http://target.com -I -j -m 10
zap-full-scan.py -t http://target.com -a -j -m 20
zap-api-scan.py -t openapi.json -f openapi -I -j

Common Configuration Parameters

bash

# API configuration
-config api.disablekey=true
-config api.incerrordetails=true

# Scanner configuration
-config scanner.attackStrength=HIGH
-config scanner.alertThreshold=MEDIUM
-config connection.timeoutInSecs=60

# Spider configuration
-config spider.maxDuration=60
-config spider.maxChildren=50

# Performance tuning
-config connection.dnsTtlSuccessfulQueries=60
-config connection.socketTimeout=30