| Intercepting Proxy |
Captures & modifies HTTP/HTTPS traffic |
Modify an API request body to test for IDOR (Insecure Direct Object References) |
| Passive Scanner |
Observes traffic for issues without altering requests |
Detects missing security headers like CSP, X-Frame-Options |
| Active Scanner |
Actively probes endpoints for vulnerabilities |
Finds SQL injection in a login form |
| Spider (Crawling) |
Discovers pages/parameters via link crawling |
Finds hidden /dev directory with test scripts |
| AJAX Spider |
Handles JavaScript-heavy apps (using Selenium) |
Crawls a React-based app to uncover dynamic endpoints |
| Fuzzer |
Injects payloads into parameters |
Test for XSS by fuzzing the q parameter in a search endpoint |
| Requester (Manual Testing) |
Send custom requests and analyze responses |
Send a crafted PUT request to check for HTTP method override |
| Session Management |
Tracks cookies, tokens, multiple user roles |
Test app as both “user†and “admin†to validate role-based access control |
| Authentication Testing |
Supports login workflows (Form, HTTP, OAuth, JWT) |
Automate login with JWT tokens to scan authenticated parts of the app |
| Plug-n-Hack |
Easy integration with browsers |
Automatically configures Firefox to proxy through ZAP |
| Marketplace (Add-ons) |
Extend features with community plugins |
Install “Retire.js†add-on to detect vulnerable JS libraries |
| Reports & Alerts |
Generates reports in HTML, JSON, XML, Markdown |
Export a vulnerability report for compliance documentation |
| REST API Support |
Control ZAP remotely for automation |
Use ZAP in CI/CD to scan new builds automatically |
| Scripting |
Write custom attack/test scripts in Python, Groovy, JS |
Create a script to detect weak JWT signing (alg=none) |
| Docker Support |
Run ZAP containerized in pipelines |
Automate security scans in a Jenkins pipeline |