Skip to main content

zap

OWASP ZAP (Zed Attack Proxy) is a powerful web application security scanner integrated into Canva’s workflows to identify vulnerabilities in web applications. This tool automates vulnerability scanning, enabling teams to secure their web assets efficiently across various environments.

Ideal Use Cases & Fit

zap is ideal for scanning web applications for vulnerabilities in scenarios such as:

  • Conducting security assessments during development or before deployment
  • Performing automated scans in CI/CD pipelines to ensure security compliance
  • Generating reports on application vulnerabilities for audit and remediation

This tool excels when tasked with baseline assessments and is best suited for environments with web applications featuring standard authentication mechanisms. It may not be appropriate for real-time monitoring of live applications without consideration of the potential scanning impact.

Value in Workflows

Integrating zap into security workflows enhances the identification and remediation of vulnerabilities during the software development lifecycle. By using zap early in the process, security teams can pinpoint issues before deployment, improving overall application resilience. Additionally, its ability to generate structured reports supports post-scan analysis and documentation efforts.

Input Data

The tool expects a required input of newline-separated URLs to scan. This input allows zap to effectively target specific web applications for security assessments.

Example:

https://example.com
https://test.example.com
https://api.example.com

Configuration

Scan Parameters:

  • scan-type: Specifies the type of scan to perform, such as baseline, full, or api-scan, making it flexible based on security needs.
  • ajax-spider: Enables AJAX crawling for JavaScript-heavy applications, enhancing the thoroughness of scans.
  • include-alpha: Allows the inclusion of alpha quality rules in passive scans to provide more comprehensive coverage.

Timing and Control:

  • scan-duration: Sets the duration for the spider in minutes for baseline or full scans, controlling the scope of the scan.
  • max-scan-time: Determines the maximum time in minutes for ZAP to start and for passive scanning to run, ensuring timely completion.

Output Options:

  • save-har-data: Configures the tool to save HTTP messages in HAR format for detailed post-scan analysis.
  • save-html-report: Generates a comprehensive HTML report for visual analysis, aiding communication of scan results.

Authentication:

  • auth-url: Defines the authentication URL for full scans, essential for applications requiring login.
  • auth-username and auth-password: Provide credentials needed for authentication during the scanning process.