Apply Now Apply Now Apply Now
header_logo
Post thumbnail
DEVOPS

OWASP ZAP Tutorial: How to Scan Websites for Vulnerabilities

By Jebasta

Every website has weak spots, you just do not know where they are until someone looks. This OWASP ZAP tutorial teaches you how to find those weak spots yourself, using a free tool trusted by security professionals worldwide. ZAP sits between your browser and a website, watches every request and response, and points out exactly where a real attacker could break in. You do not need a security background to follow this guide. 

Table of contents


  1. TL;DR Summary
  2. What is OWASP ZAP?
  3. Before You Start: A Quick Warning
  4. OWASP ZAP Tutorial: Installation
  5. Starting Your First Scan
  6. Passive Scan vs Active Scan
  7. Reading Your Scan Results
    • 💡 Did You Know?
  8. Common Mistakes to Avoid
  9. Conclusion
  10. FAQs
    • Is OWASP ZAP free to use?
    • Is OWASP ZAP legal to use?
    • What is the difference between passive and active scanning?
    • Do I need coding experience for this OWASP ZAP tutorial?
    • Can ZAP scan websites that require login? 

TL;DR Summary

  • This OWASP ZAP tutorial shows you how to install ZAP, scan a website, and read the results, even if you have never done security testing before.
  • ZAP (Zed Attack Proxy) is a free, open-source tool that finds vulnerabilities like SQL injection and XSS in web apps.
  • Setup takes under 10 minutes on Windows, macOS, or Linux.
  • ZAP has two scan types: passive (safe, automatic) and active (more thorough, simulates real attacks).
  • Always get permission before scanning a website you do not own.

What is OWASP ZAP?

OWASP ZAP, also known as Zed Attack Proxy, is a free, open-source security testing tool. It works as a proxy between your browser and the website you are testing, capturing every request and response so you can see what is happening behind the scenes.

It is one of the most widely used web vulnerability scanners in the world, used by penetration testers, developers, and QA teams alike, and genuinely beginner-friendly for a tool this powerful.

Security testing is becoming a core skill across development and QA roles in 2026. If you want to build a strong foundation in the tools and practices that power modern application security, HCL GUVI’s DevOps Course covers CI/CD pipelines, security integration, and real-world projects with NSDC certification.

Before You Start: A Quick Warning

Only scan websites you own or have explicit written permission to test. Scanning a website without permission, even just to “see what happens,” is illegal in most countries. This OWASP ZAP tutorial uses a safe practice target so you can follow along without any legal risk.

OWASP provides a free site built specifically for this purpose: Juice Shop or the official OWASP testing apps are ideal starting points.

OWASP ZAP Tutorial: Installation

Windows: Run winget install –id=ZAP.ZAP -e in PowerShell, or download the installer from the official ZAP website. Requires Java 17+, included by default.

macOS: Run brew install –cask zap, then launch with open -a ZAP.

Linux: Run sudo snap install zaproxy –classic then start with zaproxy. ZAP comes pre-installed on Kali Linux.

Once installed, open ZAP. It will ask whether to persist your session. Choose “Yes” to save progress, or “No” for a quick one-time scan.

Starting Your First Scan

This is the core of any OWASP ZAP tutorial, the part where you actually find something.

  1. Open ZAP and look for the field labelled URL to attack near the top of the window.
  2. Enter the URL of your test target (your own site, or a safe practice site like Juice Shop).
  3. Click Attack.
  4. ZAP will start crawling, also called spidering, the site to map out every page and link it can find.
  5. Once spidering finishes, ZAP automatically begins scanning for vulnerabilities.

You will see ZAP populate two windows as it works: the Sites tree on the left shows everything it has discovered, and the Alerts tab at the bottom shows every vulnerability it finds, in real time.

Passive Scan vs Active Scan

A key concept in any OWASP ZAP tutorial is understanding the difference between these two scan types, because they behave very differently.

Scan TypeWhat It DoesRisk Level
Passive ScanAnalyses traffic as you browse, never sends attack payloadsSafe, runs automatically
Active ScanSends real attack payloads (SQLi, XSS attempts) to test responsesHigher risk, can modify data

Passive scanning happens automatically just by browsing the site through ZAP’s proxy. It catches issues like missing security headers and insecure cookies, but it cannot catch deeper issues like SQL injection because it never actually tries to exploit anything.

Active scanning is more thorough. ZAP actually attempts attacks against the site to see how it responds. This is more likely to catch serious vulnerabilities, but it can also affect real data, so never run an active scan against a production website you do not control.

MDN

Reading Your Scan Results

Once your scan finishes, click the Alerts tab. Every finding is colour-coded by risk:

  • Red (High): Serious vulnerabilities like SQL injection. Fix immediately.
  • Orange (Medium): Real risks like reflected XSS. Fix soon.
  • Yellow (Low): Minor issues like missing security headers.
  • Blue (Informational): Not a vulnerability, just useful context.

Click any alert to see the affected URL, the payload ZAP used, and suggested remediation steps. This is what makes ZAP useful for beginners, it tells you exactly what to fix, not just that something is wrong.

💡 Did You Know?

  • OWASP ZAP recently joined the Software Security Project as one of its founding members, further strengthening its role in the global application security ecosystem. Despite being completely free and open source, OWASP ZAP has grown into the world’s most widely used web vulnerability scanner. It competes directly with commercial security testing tools that can cost organizations thousands of dollars per year, making enterprise-grade security testing accessible to developers of all sizes.

Common Mistakes to Avoid

  • Running an active scan on a live production site. Active scans send real attack payloads that can create test data, trigger emails, or even corrupt records. Always scan a staging environment or a dedicated practice target first.
  • Ignoring Low and Informational alerts entirely. They seem unimportant individually, but missing security headers and weak cookie settings often combine with other small issues to create a real attack path. Review them even if you fix high risks first.
  • Skipping authentication setup. If your site requires login, ZAP cannot scan anything behind that login wall unless you configure authentication first. Without this step, your OWASP ZAP tutorial results will badly underrepresent your actual risk.

Conclusion

This OWASP ZAP tutorial walks you through everything you need to run your first real vulnerability scan: installing ZAP, scanning a target, understanding passive versus active scans, and reading your results by risk level. ZAP rewards curiosity. Run it against a practice site, click through every alert, and read what each one actually means. That hands-on habit is how security testing skills are built, one scan at a time.

FAQs

1. Is OWASP ZAP free to use?

Yes. ZAP is completely free and open-source, with no paid tier required for any features covered in this OWASP ZAP tutorial.

Yes, only on websites you own or have written permission to test. Scanning without authorization is illegal in most countries.

3. What is the difference between passive and active scanning?

Passive scanning analyses traffic safely without attacks. Active scanning sends real attack payloads, so only run it on sites you control.

4. Do I need coding experience for this OWASP ZAP tutorial?

No. ZAP’s desktop interface is built for beginners. Scripting becomes useful later for automation but is not required to start.

MDN

5. Can ZAP scan websites that require login? 

Yes, but you must configure authentication in ZAP first, or it cannot reach pages behind the login wall.

Success Stories

Did you enjoy this article?

Schedule 1:1 free counselling

Similar Articles

Loading...
Get in Touch
Chat on Whatsapp
Request Callback
Share logo Copy link
Table of contents Table of contents
Table of contents Articles
Close button

  1. TL;DR Summary
  2. What is OWASP ZAP?
  3. Before You Start: A Quick Warning
  4. OWASP ZAP Tutorial: Installation
  5. Starting Your First Scan
  6. Passive Scan vs Active Scan
  7. Reading Your Scan Results
    • 💡 Did You Know?
  8. Common Mistakes to Avoid
  9. Conclusion
  10. FAQs
    • Is OWASP ZAP free to use?
    • Is OWASP ZAP legal to use?
    • What is the difference between passive and active scanning?
    • Do I need coding experience for this OWASP ZAP tutorial?
    • Can ZAP scan websites that require login?