OWASP ZAP Web Scanner

login

This tool actively probes a target for vulnerabilities. Running it without verifying the user owns or has permission to test the target is indistinguishable from attack tooling, so it requires authorization.

This tool isn't available in the anonymous view. Sign in to access it.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is the world's most widely used open-source DAST (Dynamic Application Security Testing) tool. It crawls your web application, intercepts requests, and actively probes for vulnerabilities: SQL injection, XSS, CSRF, insecure direct object references, security misconfigurations, and more from the OWASP Top 10 list.

What is the difference between DAST and SAST?

DAST (Dynamic) tests the running application from outside — it's black-box testing that finds runtime vulnerabilities regardless of language. SAST (Static) analyses source code without executing it — it finds code-level bugs early in development. Both are complementary: DAST finds what's actually exploitable; SAST finds issues before deployment.

What is the OWASP Top 10?

The OWASP Top 10 is a standard awareness document listing the most critical web application security risks. The current (2021) list: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Auth Failures, Software Integrity Failures, Logging Failures, and SSRF. It's widely used as a baseline for security assessments.