ZAP by Checkmarx

ZAP by Checkmarx (formerly known as OWASP ZAP or Zed Attack Proxy) is the world's most widely used Dynamic Application Security Testing (DAST) scanner. It is a free, open-source tool designed to automatically find security vulnerabilities in web applications while they are running (also known as "black-box testing").

Originally an independent open-source project, ZAP's core team joined Checkmarx in 2024 to secure the project's long-term future. While it is now supported by Checkmarx's enterprise resources, it remains open-source and community-driven. It acts as a "Man-in-the-Middle" (MitM) proxy, sitting between the tester’s browser and the web application to intercept, inspect, and modify traffic.

Core Capabilities of ZAP

ZAP provides a comprehensive suite of tools for both automated scanners and manual penetration testers.

Automated Scanning

ZAP can be configured to run automatically in a CI/CD pipeline, allowing developers to catch security flaws early in the software development lifecycle.

• Active Scanning: ZAP aggressively probes the application by sending malicious payloads (e.g., SQL injection strings) to identify vulnerabilities.

• Passive Scanning: ZAP silently analyzes traffic flowing through the proxy without modifying it, looking for missing security headers, information leakage, or cookie flags.

• Spidering:

  • Traditional Spider: Crawls the web application by parsing HTML to find links and forms.

  • AJAX Spider: Uses a headless browser to crawl modern, JavaScript-heavy applications (like Single Page Applications) that a traditional spider might miss.

Manual Penetration Testing Tools

For deeper investigations, ZAP offers features that allow security professionals to manually manipulate traffic.

• Intercepting Proxy: Allows the user to pause requests and responses, modify them on the fly, and forward them to the destination.

• Fuzzer: A powerful tool that allows testers to inject a large volume of random or invalid data into specific input fields to see how the application handles unexpected input.

• WebSocket Support: ZAP can intercept and analyze messages sent over WebSocket connections, which are common in real-time applications.

• Request & Response Breakpoints: Testers can set breakpoints to automatically stop execution when specific criteria are met, allowing for precise analysis of critical transactions.

How ZAP by Checkmarx Fits into Cybersecurity

ZAP plays a crucial role in a layered security strategy, specifically within the "Test" phase of DevSecOps.

• Vulnerability Validation: It verifies if a theoretical vulnerability (found by static code analysis) is actually exploitable in a running environment.

• Compliance: It helps organizations meet regulatory requirements (like PCI DSS) that mandate regular application security testing.

• API Security: ZAP can import API definitions (OpenAPI/Swagger, GraphQL) to automatically scan and attack API endpoints, ensuring backend services are secure.

• Shift-Left Security: By integrating ZAP into build pipelines (e.g., Jenkins, GitHub Actions), teams can "break the build" if critical vulnerabilities are found, preventing insecure code from reaching production.

Frequently Asked Questions About ZAP by Checkmarx

Is ZAP by Checkmarx still free?

Yes. Despite the stewardship transition to Checkmarx, ZAP remains free and open-source software (FOSS). Checkmarx supports the core team to maintain the project for the community.

What is the difference between ZAP and Burp Suite?

Both are industry-standard web proxies.

• ZAP is free, open-source, and arguably stronger for automated scanning and CI/CD integration due to its API-first design.

• Burp Suite Professional is a commercial tool that is often preferred by advanced penetration testers for manual testing due to its polished user interface and advanced manual tools.

Can ZAP scan authenticated parts of an application?

Yes. ZAP has robust authentication support. It can handle complex login sequences, including form-based authentication, JSON-based authentication, and script-based authentication, allowing it to maintain a session while scanning protected areas of an application.

Does ZAP require an agent to be installed on the server?

No. As a DAST tool, ZAP is agentless. It interacts with the application strictly from the "outside," just like a real attacker or user would, making it easy to deploy without modifying the target server.

Combining ThreatNG and ZAP by Checkmarx for Comprehensive AppSec

Integrating ThreatNG’s External Attack Surface Management (EASM) with ZAP by Checkmarx (formerly OWASP ZAP) creates a robust security ecosystem. ThreatNG provides the broad, strategic visibility needed to identify what to scan, while ZAP provides the deep, tactical Dynamic Application Security Testing (DAST) capabilities to find exploitable vulnerabilities within those assets.

This complementary relationship ensures that no asset is left untested and that testing resources are focused on the most critical exposures.

Optimizing External Discovery for DAST

ThreatNG’s External Discovery capabilities solve one of the biggest challenges in DAST: knowing what to scan. ZAP requires a specific URL or target to function, but organizations often have unknown assets (Shadow IT) that never get added to the scan list.

• Target Inventory Generation: ThreatNG performs purely external, unauthenticated discovery to map the entire digital footprint, including forgotten subdomains, marketing microsites, and development servers. This complete inventory is fed into ZAP, ensuring that the scanner covers the entire attack surface, not just the known "happy path" applications.

• Shadow IT Identification: When ThreatNG discovers a new asset, such as a staging environment hosted on a cloud provider, it can automatically trigger ZAP to spider and scan that asset. This closes the gap between the deployment of a new service and its first security assessment.

Enhancing External Assessments with Active Verification

ThreatNG performs high-level assessments to identify susceptibility. ZAP acts as the validation engine, proving whether those susceptibilities can be actively exploited.

Web Application Hijack Susceptibility

• ThreatNG Role: ThreatNG analyzes security headers to grade susceptibility. It identifies subdomains missing critical headers like Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), and X-Frame-Options. It also flags the use of deprecated headers.

• ZAP Role: Using this intelligence, ZAP can launch targeted attacks. For example, if ThreatNG reports a missing Content-Security-Policy, ZAP’s active scanner can attempt Cross-Site Scripting (XSS) injections to demonstrate that malicious scripts can indeed be executed. If X-Frame-Options is missing, ZAP can test for Clickjacking vulnerabilities.

Subdomain Takeover Susceptibility

• ThreatNG Role: ThreatNG identifies "dangling DNS" risks by finding subdomains that point to third-party services (like AWS S3, Heroku, or GitHub) that are no longer claimed. It cross-references CNAME records against a comprehensive vendor list.

• ZAP Role: ZAP can be directed to request these specific subdomains. By analyzing the HTTP response codes (e.g., a 404 from an S3 bucket or a specific "There's nothing here" message from Heroku), ZAP validates that the resource is indeed unclaimed and that an attacker could register it to launch phishing attacks or serve malware.

Mobile App Exposure

• ThreatNG Role: ThreatNG scans mobile applications in marketplaces for hardcoded secrets, such as AWS API keys, Google Cloud tokens, or Firebase URLs.

• ZAP Role: Security teams can extract these endpoints and credentials and use ZAP to test the backend APIs they connect to. ZAP can attempt to use the leaked keys to perform unauthorized actions or fuzz the API endpoints to find Broken Object Level Authorization (BOLA) vulnerabilities.

Investigation Modules Driving Focused Scanning

ThreatNG’s investigation modules provide deep context that allows ZAP to run more efficient and effective scans.

Technology Stack Investigation

• Context: ThreatNG identifies nearly 4,000 technologies, categorizing them into groups like Collaboration, E-commerce, and DevOps. It reveals the specific vendors and software versions running on a target (e.g., "Magento 2.4" or "Apache Struts").

• ZAP Optimization: With this knowledge, ZAP can be configured to use specific "Technology" contexts. If ThreatNG identifies a site is running WordPress, ZAP can enable specific WordPress plug-in scanners and disable irrelevant checks (like those for IIS or Java), making the scan faster and more accurate.

Sensitive Code Exposure

• Context: This module finds public code repositories that leak API Keys, Database Credentials, and Configuration Files.

• ZAP Optimization: If ThreatNG finds a leaked API schema or a Postman collection in a public repo, this structural data can be imported into ZAP. This allows ZAP to thoroughly test the API, including endpoints that standard spidering would miss because they aren't linked from a homepage.

Search Engine Exploitation

• Context: ThreatNG analyzes Robots.txt and Security.txt files to find sensitive directories or admin panels that the organization tried to hide but accidentally indexed.

• ZAP Optimization: ZAP’s "Forced Browse" or directory brute-forcing tools can be prioritized on these paths. If ThreatNG flags a /admin-backup directory in robots.txt, ZAP can immediately target it for authentication bypass vulnerabilities or default-credential attacks.

Leveraging Intelligence Repositories

ThreatNG’s DarCache repositories provide threat intelligence that prioritizes ZAP findings.

• Vulnerability Intelligence (NVD, KEV, EPSS): If ZAP reports a finding (e.g., "OpenSSL Heartbleed"), it might just look like one of many bugs. ThreatNG correlates this with KEV (Known Exploited Vulnerabilities) data. If the specific vulnerability found by ZAP is actively being exploited in the wild, ThreatNG elevates the urgency of remediation.

• Ransomware Groups: If ZAP finds an entry point (like an unpatched VPN gateway), ThreatNG can correlate this with its Ransomware repository to warn that "Ransomware Group X" is currently targeting this specific gateway technology, adding critical business context to the technical finding.

Unified Reporting and Continuous Monitoring

The combination of EASM and DAST streamlines the reporting and monitoring lifecycle.

• Continuous Monitoring Loop: ThreatNG continuously monitors the attack surface. When a change is detected—such as a new port opening or a technology version change—it can trigger an automated ZAP scan. This "event-driven" scanning is more efficient than scheduled scanning.

• Holistic Reporting: ThreatNG’s reporting capabilities, including SEC Filings and GRC Assessment Mappings (PCI DSS, HIPAA, GDPR), are enriched by ZAP’s validation. A ThreatNG report might state, "We found a potential SQL Injection risk due to legacy code," and the ZAP data adds, "Verified: SQL Injection payload was successfully executed," providing auditors with concrete proof of risk.

Frequently Asked Questions

Does ThreatNG replace the need for ZAP? No. ThreatNG identifies assets and assesses their configuration and reputation externally. ZAP interacts with the application logic to find vulnerabilities in the code itself. They address different layers of security.

How does this integration reduce false positives? ThreatNG helps filter the noise. By identifying which assets are actually "live" and the technologies they use, ZAP avoids running irrelevant tests (such as testing for Windows vulnerabilities on a Linux server), thereby reducing the number of false-positive reports.

Can this combination help with API security? Yes. ThreatNG discovers the API endpoints (via subdomain discovery and mobile app analysis), and ZAP provides the specialized scanning tools to test those APIs for logic flaws and injection attacks.