ZAP (Zed Attack Proxy)
ZAP is a web application security scanner that performs dynamic application security testing (DAST). It drives a browser against your application to find issues that appear at runtime.
What it does
ZAP is built for testing web apps and APIs exposed over HTTP(S). It can detect cross-site scripting (XSS), SQL injection, CSRF, security misconfigurations, and many other classes of flaws in web-facing code and configuration.
Target types
Targets must be URLs that start with http:// or https://. Enter the entry point you want tested (for example your app's base URL or API root).
Web URLs only
ZAP is not the right choice for bare IPs or hostnames without a scheme - use OpenVAS, Nmap, or Nuclei for pure network targets.
When to use this scanner
Use ZAP for DAST and application security testing when you need to assess how your site or API behaves under attack. It can test public pages and, with setup, authenticated or logged-in areas so you are not limited to unauthenticated surface area.
Authenticated scanning (Basic plan and above) uses Selenium Python scripts you provide to log in or establish a session before the crawl and attack phases. That enables coverage of protected routes and workflows.
Authenticated scans
Upload or configure your Selenium script where the New Scan form allows it so ZAP can reach logged-in content. See Authenticated Scanning for guidance.
Target format
Examples of valid targets:
https://app.example.com
https://api.example.com/v1/
http://staging.example.com:8080/Examples of invalid targets for ZAP in Panoptic Scans:
example.com
192.0.2.10
192.0.2.10:443
//example.comHow to run a scan
Go to New Scan, choose ZAP as the scan type, and enter your full http:// or https:// URL. Add a scan name, attach an authentication script if your plan supports it, configure any optional schedule, then create the scan. See Running Scans for a full walkthrough of the form.