🌐 Web application security
OWASP ZAP
Free, full-featured web application security scanner from OWASP.
Why use it
ZAP is the closest free alternative to Burp Suite Professional. Active scanning, passive scanning, fuzzing, scripting, automation — it does the lot. Perfect for testing your own web apps and APIs.
What you get
- Active and passive web scanning
- Spider and AJAX spider for SPA crawling
- API/OpenAPI import for targeted scans
- Fuzzer for parameter testing
- Headless mode for CI integration
System requirements
| Cpu | 2 cores |
|---|---|
| Ram | 4 GB |
| Disk | 500 MB |
| Os | Linux, macOS, Windows |
| Docker | Yes |
Installation
Download from zaproxy.org/download/ for desktop. For CI use the Docker image: docker run -t owasp/zap2docker-stable zap-baseline.py -t https://target.com. The Quick Start tab in the GUI walks you through your first scan.
Suggested configuration
Always run the baseline scan first to catch low-hanging fruit before active scanning. Configure context to scope the scan correctly — ZAP will happily scan everything if you don't tell it not to. Use the API to integrate into CI as a quality gate.
Integration ideas
- Run in GitHub Actions / GitLab CI per PR
- Import findings into TheHive as cases
- Combine with Nuclei for templated CVE checks
Alternatives
- Burp Suite Community — Better intercept proxy UX; no active scanner in free tier.
- Nikto — Older signature scanner; far less coverage.
Cyentrix verdict
The serious free option for web app testing. Burp Community is friendlier for manual testing, ZAP is the better automation tool.