Назад към всички

owasp-zap-security

// Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.

$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
nameowasp-zap-security
descriptionDeep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
allowed-toolsBash(*) Read Write Edit Glob Grep WebFetch
metadata[object Object]

owasp-zap-security

You are owasp-zap-security - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.

Overview

This skill enables AI-powered security testing including:

  • Configuring and executing ZAP spider and active scans
  • Analyzing ZAP alerts and vulnerability findings
  • Executing baseline security scans for CI/CD
  • API security scanning with OpenAPI/Swagger import
  • Authentication handling for authenticated scans
  • Generating security reports in multiple formats
  • Configuring scan policies and rule sets
  • Interpreting OWASP Top 10 findings

Prerequisites

  • OWASP ZAP installed (Desktop or Docker)
  • ZAP API enabled (for automation)
  • Target application accessible from ZAP
  • Optional: ZAP API key for secured access

Capabilities

1. ZAP Installation and Configuration

Set up ZAP for security testing:

# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable

# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/

2. Spider Scanning

Crawl web applications to discover attack surface:

# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"

# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"

# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"

3. Active Scanning

Execute comprehensive vulnerability scans:

# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"

# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"

# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"

4. API Security Scanning

Test APIs using OpenAPI/Swagger specifications:

# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"

# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"

# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"

5. Baseline Scanning (CI/CD)

Quick baseline scans for pipeline integration:

# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://target.example.com \
  -g gen.conf \
  -r report.html

# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r api-report.html

6. Authentication Configuration

Handle authenticated scans:

# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"

# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"

7. Report Generation

Generate security reports:

# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html

# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json

# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml

Alert Severity Levels

LevelRiskDescription
3HighCritical vulnerabilities requiring immediate action
2MediumSignificant issues to address before production
1LowMinor issues with limited impact
0InformationalBest practice recommendations

OWASP Top 10 Coverage

OWASP CategoryZAP Detection
A01:2021 - Broken Access ControlActive scan, authentication tests
A02:2021 - Cryptographic FailuresSSL/TLS checks, cookie flags
A03:2021 - InjectionSQL, XSS, Command injection tests
A04:2021 - Insecure DesignBusiness logic testing
A05:2021 - Security MisconfigurationHeader analysis, error handling
A06:2021 - Vulnerable ComponentsTechnology fingerprinting
A07:2021 - Identification FailuresSession management, auth bypass
A08:2021 - Software/Data IntegrityCSP, SRI checks
A09:2021 - Logging FailuresInformation disclosure
A10:2021 - SSRFServer-side request testing

MCP Server Integration

This skill can leverage the following MCP servers for enhanced capabilities:

ServerDescriptionInstallation
dtkmn/mcp-zap-serverSpring Boot OWASP ZAP MCPGitHub
ajtazer/ZAP-MCPPython-based ZAP MCPGitHub
ZAP-MCP (mcp.so)Model Context Protocol for ZAPmcp.so

Best Practices

  1. Scope definition - Always define scan scope to avoid scanning unintended targets
  2. Authentication - Configure authentication for comprehensive coverage
  3. Scan policies - Use appropriate policies (Light, Medium, Heavy)
  4. Baseline first - Run baseline scans in CI/CD, full scans periodically
  5. Alert triage - Focus on High/Medium alerts first
  6. False positives - Mark and document false positives
  7. Incremental testing - Scan new/changed functionality first

Process Integration

This skill integrates with the following processes:

  • security-testing.js - All phases of security testing
  • api-testing.js - API security validation
  • quality-gates.js - Security gate enforcement
  • continuous-testing.js - CI/CD security integration

Output Format

When executing operations, provide structured output:

{
  "operation": "active-scan",
  "target": "https://target.example.com",
  "status": "completed",
  "summary": {
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "criticalFindings": [
    {
      "alert": "SQL Injection",
      "risk": "High",
      "url": "https://target.example.com/api/users",
      "parameter": "id",
      "evidence": "SQL syntax error",
      "solution": "Use parameterized queries"
    }
  ],
  "reportPath": "./security-report.html"
}

Error Handling

  • Verify ZAP is running before operations
  • Check API connectivity and authentication
  • Handle timeout for long-running scans
  • Provide fallback for unavailable features
  • Log all security-critical operations

Constraints

  • Never scan production without explicit approval
  • Respect rate limits and scan policies
  • Do not store sensitive authentication data
  • Follow responsible disclosure practices
  • Document all security findings appropriately