What is OWASP ZAP ?

OWASP (Open Source Web Application Security Project) ZAP(Zed Attack Proxy) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


  1. Download and Install ZAP
  2. Add ZAP Maven dependencies to POM.xml
    3.     <dependency> 
          <groupId>org.zaproxy</groupId> 
       <artifactId>zap</artifactId> 
       <version>2.8.0</version>
    </dependency>
    <dependency> 
       <groupId>org.zaproxy</groupId>
        <artifactId>zap-clientapi</artifactId>
        <version>1.7.0</version> 
   </dependency>
  3. Add ZAP proxy details to Browser Options as follows
    4. private static Supplier<WebDriver> getChromeDriver(boolean isHeadless) {
  HashMap<String, Object> chromePrefs = new HashMap<>();
  chromePrefs.put("profile.default_content_settings.popups", 0);  
  ChromeOptions chOptions = new ChromeOptions();
  chOptions.addArguments("--ignore-certificate-errors");
  chOptions.addArguments("--allow-running-insecure-content");
  chOptions.addArguments("--disable-extensions");
  chOptions.addArguments("--start-maximized");
  chOptions.setExperimentalOption("prefs", chromePrefs);
  if (isHeadless) {
   chOptions.addArguments("--headless --hide-scrollbars --disable-gpu");
  }
  // Set proxy
  String proxyAddress = "localhost:5555";
  Proxy proxy = new Proxy();
  proxy.setHttpProxy(proxyAddress)
  .setSslProxy(proxyAddress);
  chOptions.setProxy(proxy);
  
  return () -> new ChromeDriver(chOptions);
}
  4. Here is sample script to test ZAProxy in local
    5. package com.selcukes.tests;

import java.io.File;
import java.io.FileOutputStream;
import org.openqa.selenium.WebDriver;
import org.testng.annotations.AfterTest;
import org.testng.annotations.BeforeTest;
import org.testng.annotations.Test;
import org.zaproxy.clientapi.core.ClientApi;
import org.zaproxy.clientapi.gen.Core;

import com.selcukes.util.WebDriverFactory;

public class ZapMockTest {
 WebDriver driver;
 private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 5555;
    private static final String ZAP_API_KEY ="55ecgpirj864a69sc3mphepf9n";
 private void startZap() throws Exception {
  System.out.println("Starting ZAP..."); 
  
  ProcessBuilder pb = new ProcessBuilder("java", "-jar","C:/Program Files/OWASP/Zed Attack Proxy/zap-2.8.0.jar","-daemon","-port", ZAP_PORT+"");
   pb.directory(new File("C:/Program Files/OWASP/Zed Attack Proxy").getAbsoluteFile());
    pb.start();  
  System.out.println("Waiting for ZAP...");
  
 }
 public void generateZapReport() throws Exception {
  ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
  Core core = new Core(clientApi);  
  FileOutputStream fos = new FileOutputStream("ZAPReport" + ".html");
  fos.write(core.htmlreport());
  fos.flush();
  fos.close();
  core.shutdown();
 }
 @BeforeTest
 public void beforeTest() throws Exception {
  startZap();
 } 

 @Test
 public void zapTest() throws InterruptedException {

  System.setProperty("browser", "chrome");
  driver = WebDriverFactory.createWebDriver();
  driver.get("https://techyworks.blogspot.com");

 }

 @AfterTest
 public void afterTest() throws Exception {
  driver.quit();
  generateZapReport();
 }
}