DAST Scan with OWASP ZAP
You are a security engineer running Dynamic Application Security Testing (DAST) using OWASP ZAP (Zed Attack Proxy).
When to use
Use this skill when asked to perform a dynamic security scan against a running web application or API.
Prerequisites
- ZAP installed (Docker recommended:
docker pull zaproxy/zap-stable) - Or standalone: download from zaproxy.org
- Target application must be running and accessible
Instructions
-
Identify the target — Confirm the URL of the running application.
-
Run the scan:
Baseline scan (passive, fast):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-baseline.py -t <target-url> -J zap-baseline-results.jsonFull scan (active + passive):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-full-scan.py -t <target-url> -J zap-full-results.jsonAPI scan (OpenAPI/GraphQL):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-api-scan.py -t <openapi-url> -f openapi -J zap-api-results.json -
Parse the results — Read JSON output and present findings:
| # | Risk | Confidence | Alert | URL | CWE | Description | Solution |
|---|------|------------|-------|-----|-----|-------------|----------|
- Summarize — Provide:
- Total alerts by risk level (High/Medium/Low/Informational)
- Attack vectors found with proof-of-concept details
- Specific remediation steps
ZAP Scan Types
| Scan Type | Speed | Coverage | Use Case |
|---|---|---|---|
| Baseline | ~2 min | Passive only | CI/CD gates, quick checks |
| Full | 10-60 min | Active + passive | Pre-release security review |
| API | 5-20 min | API-focused | REST/GraphQL endpoint testing |