Download and install ZAPYou will need to download ZAP from http://code.google.com/p/zaproxy/downloads/list.
There are downloads available for Windows, Mac OS and Unix / Linux like operating system.
You will need to have Java 1.6 or higher also installed.
Once you have downloaded and installed ZAP, start it up.
On Windows an icon will have been created on your desktop and an entry added to the start menu.
On other operating systems use the zap.sh command line script.
Change your browser to use ZAP as a proxy
Change your browser to use ZAP as a proxy, so that all of the requests and responses to and from your application go via ZAP.
See Configuring Proxies help page or your browser's documentation if you are unsure of how to do this.
By default ZAP will listen on http://localhost:8080.
If necessary this can be changed via the Options connection screen.
Now try to connect to your application using your browser.
If you can not connect to it then check your proxy settings again. You will need to check your browser's proxy settings, and also ZAP's proxy settings. Its also worth checking that the application that you are trying to test is running!
When you have successfully connected to your application you will see one or more lines in ZAP's Sites and History tabs.
Note that most of ZAP's tabs provide additional functionality that can be accessed via 'right click' menus.
Explore your applicationUse your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
Some automated security scanners just require you to login to your application and then explore it for you.
I do not recommend this approach.
It is much more effective to manually explore the application.
You are much more likely to submit valid data that will expose new functionality.
The automated scanner can supply the bad data in an attempt to compromise your application.
Save the ZAP sessionOnce you have manually explored the application it would be a good time to save the ZAP session so that you can look at it again.
If your application has multiple roles then you should explore it with each role and save the sessions in separate files.
What ZAP shows youZAP records all of the requests you make to the application and all of the responses you receive from it.
The Sites tab shows you a hierarchic representation of your requests, while the History tab shows them in the order you made them.
The History tab also shows you the HTTP response code, the time the request took and any Tags or Notes.
Tags are added automatically for pages that contain things like forms, hidden fields and scripts via the Passive Scanner.
These rules can be changed via the Options Passive Scan screen.
You can also tag requests manually.
Notes can contain much more information - they are for extra information that you want to record and are not generated automatically.
Clicking on an entry in either tab will show the details on the Request and Response tabs.
The History tab provides a filter dialog which allows you to restrict the requests listed to just the ones you are currently interested in.
The Search tab allows you to search for regular expressions in all of the URLs, requests and responses.
ZAP shows you all of the requests and responses that are going on 'under the covers' of your application.
This may be particularly revealing if the application uses AJAX requests to get information in the background.
Next we shall look at the automated tools the ZAP provides...