If it has not become apparent by now, I like OWASP … a lot. They are a bunch of volunteers who sacrifice their spare time to better the community and I have nothing but the utmost respect for that. OWASP ZAP is a tool that is often seen as a bit more “confusing” though I do not know where this stems from. After all, Burp suite is just as confusing if you open it up for the first time but after a while and with practice it becomes easier.
I am going to make this comparison because I think ZAP is unfairly compared to burp suite. Not only because the team composition and business models vary wildly but also because the core concepts differ. Of course, ZAP is fully free, including its vulnerability scanner but let’s see how else it differs.
First of all, when you open up OWASP ZAP, you will notice that it asks if you want to persist your session. This might seem strange already because normally it would just ask you to save a project but what ZAP does is start up a database and a server and ZAP is basically a GUI for you. Every action you undertake is saved unless you don’t want to persist in your session.
Usually, I would recommend that you save things in a session as it would otherwise take a lot of time to get started.
ZAP also uses contexts, this is where you can define things like users and scope. This means you can have multiple “contexts” per session. Usually, the default context suffices but if you want to separate the web URLs from the API URLs for example, you might consider using different contexts so you don’t have to keep switching projects.
Modes
To start configuring OWASP ZAP properly, always start by setting up your context correctly. This ensures you will not go outside of your allotted scope if you combine it with setting ZAP up to work in “safe mode”. This ensures no dangerous operations can be performed on URLs that are not in scope.
Also useful are the