📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🗡️ KALI LINUX COURSE
FREE
Part of the 180-Day Kali Linux Mastery Course
Day 24 of 180 · 13.3% complete
⚠️ Authorised Targets Only. OWASP ZAP active scanning sends attack payloads — never run active scans against systems without explicit written authorisation. Use DVWA, HackTheBox, TryHackMe, or your own lab for all exercises. Passive scanning and spidering against your own applications in development is fine.
Fierce gave me the DNS map. Shodan gave me the service fingerprint. Now I’ve got a list of live web applications and I need to find what’s actually vulnerable in them. That’s where OWASP ZAP comes in — it’s the automated scanner I run before I start manual testing. Not because it finds everything (it doesn’t), but because it finds the obvious misconfigurations and baseline vulnerabilities in 20 minutes so I can spend my manual testing time on the interesting, logic-layer stuff that no scanner touches. Free, open source, and good enough to have replaced commercial scanners on plenty of engagements. Let me show you exactly how I use it.
🎯 What You’ll Master in Day 24
Configure OWASP ZAP as a browser proxy and understand its scanning architecture
Run spider, passive scan, and active scan against a practice target
Use the AJAX Spider for JavaScript-heavy single-page applications
Interpret ZAP’s alert severity and confidence ratings correctly
Generate professional scan reports and integrate ZAP into a CLI pipeline
⏱️ 40 min read · 3 exercises · Day 24 of 180 #### ✅ Before You Start - Day 23: Fierce DNS Recon — DNS reconnaissance is complete. The live host list from Day 23 feeds into ZAP scanning today. - DVWA running locally at http://localhost/dvwa/ for the active scan lab. OWASP ZAP is pre-installed in Kali — launch with zaproxy from terminal. ### 📋 Day 24 — OWASP ZAP Tutorial 1. ZAP’s Architecture — The Four Scanning Modes 2. Installation and Proxy Setup in Kali 2026 3. Spider and AJAX Spider — Mapping the Attack Surface 4. Active Scan — Finding Real Vulnerabilities 5. Reading Alerts and Generating Reports 6. ZAP CLI and Pipeline Integration After Day 23’s Fierce DNS recon surfaced the live web applications on my target scope, the next phase is systematic vulnerability scanning. ZAP is where I start — it’s the closest thing to ‘run it and see what lights up’ that I trust in a professional context. The Kali Linux Mastery Course builds the complete assessment workflow: recon → scanning → manual exploitation.
ZAP’s Architecture — The Four Scanning Modes
ZAP operates as an intercepting proxy sitting between your browser and the target. Every request and response passes through it. That’s the foundation for all four of its scanning modes.
Passive scanning runs continuously as you browse — ZAP analyses traffic without sending any additional requests to the target. Active scanning sends deliberate attack payloads. The spider crawls the application to discover URLs. The AJAX spider uses a headless browser to render JavaScript and discover dynamically loaded content that a traditional spider misses.
ZAP SCANNING MODES — QUICK REFERENCECopy
Launch ZAP
zaproxy & # GUI mode (background)
zaproxy -daemon -port 8080 # Headless daemon mode
Quick Start — automated scan (GUI)
Quick Start tab → URL to attack → Automated Scan → Attack
This runs: spider + passive scan + active scan in sequence
Proxy setup — route browser through ZAP
Browser proxy: 127.0.0.1 port 8080
Or use ZAP’s built-in browser: Tools → Open Browser
Four modes summary
- Passive scan — analyses traffic, no extra requests, safe for prod
- Spider — follows HTML links to map URLs
- AJAX Spider — headless browser for JS-rendered content
- Active scan — sends attack payloads — AUTHORISED ONLY
Installation and Proxy Setup in Kali 2026
ZAP is pre-installed in Kali Linux 2026. The main thing you need to configure is the SSL certificate — without it, ZAP can’t inspect HTTPS traffic and you’ll see certificate errors in your browser.
ZAP SETUP — PROXY AND SSL CERTIFICATECopy
Verify ZAP is installed
which zaproxy # /usr/bin/zaproxy if installed
sudo apt install -y zaproxy # Install if missing
Generate and export ZAP root CA certificate
ZAP → Options → Network → Server Certificates → Save Root CA Certificate
Save as: zap-root-ca.cer
Import CA cert into Firefox (for HTTPS interception)
Firefox → Preferences → Privacy & Security → Certificates → Import
Select: zap-root-ca.cer → Trust: “Trust this CA to identify websites”
Set browser proxy to ZAP
Firefox → Settings → Network → Manual proxy → 127.0.0.1:8080
Or use ZAP’s built-in browser (no proxy config needed)
ZAP → Tools → Open Browser → Chromium
🧠 EXERCISE 1 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Design Your ZAP Scan Strategy Before Touching the Tool
⏱️ 15 minutes · No tools required
Before running any scan, the professional decision is: which mode do I use and in what order? Your answer changes the quality of results and the risk to the target. Work through this before you open ZAP.
SCENARIO: You have authorised access to test a web application.
The target has three environments:
– Production (live users, real data): api.target.com
– Staging (test data, same codebase): staging.target.com
– Dev (local Docker, no users): localhost:8080
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)