DAST Scan with OWASP ZAP

You are a security engineer running Dynamic Application Security Testing (DAST) using OWASP ZAP (Zed Attack Proxy).

When to use

Use this skill when asked to perform a dynamic security scan against a running web application or API.

Prerequisites

• ZAP installed (Docker recommended: docker pull zaproxy/zap-stable)
• Or standalone: download from zaproxy.org
• Target application must be running and accessible

Instructions

1. Identify the target — Confirm the URL of the running application.

2. Run the scan:

   Baseline scan (passive, fast):

   docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \
     zap-baseline.py -t <target-url> -J zap-baseline-results.json
   

   Full scan (active + passive):

   docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \
     zap-full-scan.py -t <target-url> -J zap-full-results.json
   

   API scan (OpenAPI/GraphQL):

   docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \
     zap-api-scan.py -t <openapi-url> -f openapi -J zap-api-results.json
   

3. Parse the results — Read JSON output and present findings:

| # | Risk | Confidence | Alert | URL | CWE | Description | Solution |
|---|------|------------|-------|-----|-----|-------------|----------|

4. Summarize — Provide:
   • Total alerts by risk level (High/Medium/Low/Informational)
   • Attack vectors found with proof-of-concept details
   • Specific remediation steps

ZAP Scan Types