Source: https://www.zaproxy.org/docs/desktop/

• Add-ons

  • Access Control Testing

    • Access Control Context Options

    • Access Control Status Tab

  • Active Scan Rules

  • Active Scan Rules - Alpha

  • Active Scan Rules - Beta

  • Advanced SQLInjection Add-on

  • AJAX Spider

    • Ajax Spider Automation Framework Support

    • AJAX Spider Context

    • Options AJAX Spider screen

    • AJAX Spider dialog

    • AJAX Spider tab

  • Alert Filters

    • Alert Filter Dialog

    • Alert Filter Automation Framework Support

    • Context Alert Filters

    • Options Global Alert Filters

  • All In One Notes

    • All In One Notes - About

  • AMF Support

  • Authentication Helper

    • Authentication Report - JSON

    • Authentication Request Identification

    • Authentication Tester Dialog

    • Auto-Detect Authentication

    • Auto-Detect Session Management

    • Browser Based Authentication

    • Client Script Authentication

    • Report Templates

    • Header Based Session Management

    • Session Management Identification

    • Verification Request Identification

  • Authentication Statistics

  • Automation Framework

    • Automation Framework - About

    • Automation Framework - authentication

    • Automation Framework - Environment

    • Automation Framework - GUI

    • Automation Framework - addOns Job

    • Automation Framework - activeScan Job

    • Automation Framework - activeScan-config Job

    • Automation Framework - activeScan-policy Job

    • Automation Framework - delay Job

    • Automation Framework - exitStatus Job

    • Automation Framework - passiveScan-config Job

    • Automation Framework - passiveScan-wait Job

    • Automation Framework - requestor Job

    • Automation Framework - spider Job

    • Automation Framework - Options

    • Automation Framework - Alert Job Test

    • Automation Framework - Monitor Job Test

    • Automation Framework - Statistics Job Test

    • Automation Framework - URL Presence Job Tests

    • Automation Framework - Job Tests

  • Bean Shell Console

  • BIRT Reports

  • Browser View

  • Bug Tracker

  • Call Graph

  • Call Home

  • Client Side Integration

    • Client Side Integration - AJAX Spider Enhancement

    • Client Side Integration - Automation Framework Support

    • Client Side Integration - Firefox Profile

    • Client Side Integration - Internals

    • Client Side Integration - Passive Scan Rules

    • Client Side Integration

    • Client Side Integration - Client Spider API

    • Client Side Integration - Client Spider

  • Code Dx

  • Collection: Pentester Pack

  • Collection: Scan Rules Pack

  • Common Library

    • Alert Tags

    • Tabbed Output Panel

  • Community Scripts

  • Custom Payloads

    • Custom Payloads API

    • Options Custom Payloads screen

  • Custom Report

  • Database Add-on

  • Dev Add-On

  • Diff

  • Directory List v1.0

  • Directory List v2.3

  • Directory List v2.3 LC

  • DOM XSS Active Scan Rule

    • DOM XSS Active Scan Rule - About

  • Encode / Decode / Hash dialog

    • Options Encode/Decode screen

  • Eval Villain

  • Export Report

  • Forced Browse

    • Options Forced Browse screen

    • Forced Browse tab

  • Form Handler

  • Fuzz AI Files

    • Fuzz AI Files - Exploit Model Memory

    • Fuzz AI Files - Extract Model Information

    • Fuzz AI Files - Extract Training Data

    • Fuzz AI Files - Test Edge Cases

  • FuzzDB Files

  • FuzzDB Offensive

  • FuzzDB Web Backdoors

  • Fuzzing

    • Fuzzer dialog

    • HTTP Message Processors

    • Fuzz Location Processors dialog

    • Options Fuzz screen

    • Payloads dialog

    • Payload Processors dialog

    • Fuzzer tab

  • Getting Started Guide

  • GraalVM JavaScript

  • GraphQL Support

    • GraphQL Alerts

    • GraphQL Automation Framework Support

    • GraphQL Options

    • GraphQL Support Script

    • GraphQL Variant

  • Groovy Support

    • Groovy Support - About

  • gRPC Support

    • gRPC Variant

    • gRPC WebSocket

  • Highlighter

  • HTTPS Info

  • The HUD

    • Options HUD screen

  • Import/Export

    • Automation Framework Support

    • Sites Tree File Format

  • Import URLs

  • Invoke Applications

    • Options Applications screen

  • JSON View

  • Kotlin Support

  • Linux WebDrivers

  • Log File Importer

  • MacOS WebDrivers

  • Neonmarker

  • Network Add-on

    • Network API

    • Command Line

    • Options

      • Client Certificates

      • Connection

      • Global Exclusions

      • Local Servers/Proxies

      • Rate Limit

      • Server Certificates

  • Out-of-band Application Security Testing Support

    • OAST API

    • OAST Options

    • OAST Services

      • BOAST

        • BOAST Options

      • Callbacks

        • Callback Options

      • Interactsh

        • Interactsh Options

    • OAST Tab

  • Online Menu

  • OpenAPI Support

    • OpenAPI Automation Framework Support

  • Parameter Digger

    • Parameter Digger - About

    • Param Digger dialog

    • Param Digger tab

  • Passive Scan Rules

  • Passive Scan Rules - Alpha

  • Passive Scan Rules - Beta

  • Passive Scanner Add-on

    • Passive Scanner API

    • Passive Scanner Automation Framework Support

    • Passive Scanner Automation Framework - passiveScan-config Job

    • Passive Scanner Automation Framework - passiveScan-wait Job

    • Options

      • Passive Scan Rules

      • Passive Scanner

      • Passive Scan Tags

  • Plug-n-Hack

    • Plug-n-Hack Clients tab

  • Port Scan

    • Options Port Scan screen

    • Port Scan tab

  • Postman Support

    • Postman Automation Framework Support

  • Python Scripting

    • Options Jython screen

  • Quick Start

    • Command Line

    • Options Quick Start Launch screen

    • ZAPit

  • Regular Expression Tester

  • Replacer

    • Replacer Automation Framework Support

  • Report Alert Generator

  • Report Generation

    • Report Generation - About

    • Report Generation API

    • Report Generation Automation Framework Support

    • Creating Reports

    • High Level Report Sample

    • Modern HTML Report with themes and options

    • Risk and Confidence HTML

    • SARIF JSON Report

    • Traditional HTML with Requests and Responses

    • Traditional HTML

    • Traditional JSON Report with Requests and Responses

    • Traditional JSON Report

    • Traditional Markdown Report

    • Traditional PDF

    • Traditional XML Report with Requests and Responses

    • Traditional XML Report

    • Report Templates

  • Requester Add-on

    • Manual Request Editor dialog

    • Requester Options

    • Requester Tab

  • Retest

    • Retest - About

  • Retire.js

  • Reveal

  • Revisit

  • Ruby Scripting

  • SAML Support

  • Save Raw Message

  • Save XML Message

  • Scan Policies

    • API Policy

    • Default Policy

    • Developer CI/CD Policy

    • Developer Full Policy

    • Developer Standard Policy

    • Penetration Tester Policy

    • QA CI/CD Policy

    • QA Full Policy

    • QA Standard Policy

  • Script Console

    • Scripts Automation Framework Support

    • Script Console Tab

    • Script Console Options

    • Script Scan Rules

    • Scripts tree tab

  • Selenium

    • Selenium API

    • Options Selenium screen

  • Sequence Scanner

    • Automation Framework Support

    • Sequence Policy

  • Server-Sent Events

    • Server-Sent Events tab

  • SOAP Support

    • SOAP Alerts

    • SOAP Automation Framework Support

  • Software Risk Manager

  • Spider

    • Spider Automation Framework Support

    • Spider dialog

    • Options Spider screen

    • Spider tab

  • SVN Digger Files

  • Technology Detection

    • Technology Detection API

    • Options Tech Detection screen

  • Tips and Tricks

  • TLS Debug

  • Token Generation and Analysis

    • Options Token Generator Screen

  • TreeTools

  • Value Generator

  • ViewState

  • WebSockets

    • Web Sockets - About

    • WebSocket API

    • WebSocket specific options

    • WebSocket Passive Scan Rules

    • WebSocket Scripts

    • WebSocket specific session properties

    • WebSocket tab

  • Windows WebDrivers

  • Zest

• Releases

  • Release 1.0.0

  • Release 1.1.0

  • Release 1.2.0

  • Release 1.3.0

  • Release 1.3.1

  • Release 1.3.2

  • Release 1.3.3

  • Release 1.3.4

  • Release 1.4.0

  • Release 1.4.1

  • Release 2.0.0

  • Release 2.1.0

  • Release 2.10.0

  • Release 2.11.0

  • Release 2.11.1

  • Release 2.12.0

  • Release 2.13.0

  • Release 2.14.0

  • Release 2.15.0

  • Release 2.16.0

  • Release 2.16.1

  • Release 2.2.0

  • Release 2.2.1

  • Release 2.2.2

  • Release 2.3.0

  • Release 2.3.1

  • Release 2.4.0

  • Release 2.4.1

  • Release 2.4.2

  • Release 2.4.3

  • Release 2.5.0

  • Release 2.6.0

  • Release 2.7.0

  • Release 2.8.0

  • Release 2.9.0

• Getting Started

  • Scanner Rules

  • Features

    • Add-ons

    • Alerts

    • Anti CSRF Handling

    • API

    • Active Scan

    • Authentication

    • Authentication Methods

    • Authentication Verification Strategies

    • Breakpoints

    • Callbacks

    • Contexts

    • Custom Page

    • Data Driven Content

    • Globally Excluded URLs

    • HTTP Sessions

    • Manipulator-in-the-middle Proxy

    • Marketplace

    • Modes

    • Notes

    • Passive Scan

    • Software Bill of Materials

    • Scan Policy

    • Scope

    • Scripts

    • Session Management

    • Sites Tree

    • Spider

    • Statistics

    • Structural Modifiers

    • Structural Parameters

    • Tags

    • Users

  • A Basic Penetration Test

  • Configuring Proxies

• Desktop UI Overview

  • Dialogs

    • Add Alert dialog

    • Add/Edit Breakpoint dialog

    • Add Note dialog

    • Active Scan dialog

    • Encode / Decode / Hash dialog

    • Find dialog

    • History Filter dialog

    • Manual Request Editor dialog

    • Manage Add-ons

    • Manage History Tags dialog

    • Options dialog

      • Options Alerts screen

      • Options Anti CRSF screen

      • Options API screen

      • Options Active Scan screen

      • Options Active Scan Input Vectors screen

      • Options Breakpoints screen

      • Options Callback Address screen

      • Options Client Certificate screen

      • Options Check for Updates screen

      • Options Connection screen

      • Options Database screen

      • Dynamic SSL Certificates

      • Options Extensions screen

      • Options Global Exclude URL screen

      • Options HTTP Sessions screen

      • Options JVM screen

      • Options Keyboard screen

      • Options language screen

      • Options Local Proxies screen

      • Options Passive Scan Tags screen

      • Options Passive Scanner Screen

      • Options Passive Scan Rules Screen

      • Options Rule Configuration screen

      • Options Scripts screen

      • Options Search screen

      • Options Spider screen

      • Options Statistics screen

      • Options Display screen

    • Persist Session dialog

    • Scan Policy Dialog

    • Scan Policy Manager dialog

    • Scan Progress Dialog

    • Session Properties dialog

      • Session Context Authentication screen

      • Session Context Structure screen

      • Session Context screens

    • Spider dialog

  • Footer

  • The Tabs

    • Alerts tab

    • Active Scan tab

    • Break tab

    • Breakpoints tab

    • Callbacks tab

    • History tab

    • HTTP Sessions tab

    • Output tab

    • Params tab

    • Request tab

    • Response tab

    • Search tab

    • Sites tab

    • Spider tab

  • Top Level Menu

    • The Analyse menu

    • The Edit menu

    • The File menu

    • The Help menu

    • The Import menu

    • The Online menu

    • The Report menu

    • The Tools menu

    • The View menu

  • Top Level Toolbar

  • Views

ZAP by Checkmarx Desktop User Guide

Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.

This is available both as context sensitive help within ZAP and online at https://www.zaproxy.org/docs/desktop/

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

ZAP can also be run in a completely automated way - see the ZAP website for more details.

If you are new to ZAP then its recommended that you look at the Getting Started section.

ZAP is a fork of the open source variant of the Paros Proxy .

See also

---

| | | | | --- | --- | --- | | | Getting Started | for details of how to start using ZAP | | | Features | for details of various features provided by ZAP | | | UI Overview | for an overview of the User Interface | | | Command Line | for the command line options available | | | Releases | for details of the changes made in ZAP releases | | | Credits | for the list of people who have contributed to ZAP |

External links

---

| | | | --- | --- | | | Main ZAP website | | | Wikipedia entry for proxies |

Official Videos

---

| | | | --- | --- | | | https://www.zaproxy.org/videos/<br> An ever growing collection of ZAP videos |