Active scanner
Sends crafted requests to confirm injection, XSS, header, and configuration issues — including the Advanced SQL Injection add-on and DOM XSS rule.
Scanner · Web
OWASP ZAP Web Scanner.
Hosted. Without the Java jar.
ZAP — the Zed Attack Proxy — is, per the project, “the world's most widely used web app scanner.” A free, open source DAST tool originally from OWASP, now an independent project stewarded by Checkmarx. VulnScanners runs it on our infrastructure with the spider, auth, and active/passive rules pre-configured.
About the project
What is OWASP ZAP?
ZAP is a community-driven open-source DAST tool. It ships as a proxy plus scanner — applications are crawled (traditional or AJAX), traffic is inspected by passive rules, and the active scanner sends crafted payloads to confirm injection, XSS, configuration, and other classes of web-layer issues. VulnScanners runs the headless scanner core.
- Steward
- Checkmarx
- Origin
- OWASP flagship
- Type
- DAST / web scanner
- Source
- zaproxy.org ↗
Capabilities
What ZAP does
All features below come from upstream ZAP. We don't re-implement them — we host them.
Passive scanner
Inspects requests and responses as they pass through, surfacing misconfigured headers, cookies, and content issues without modifying traffic.
Traditional spider
Crawls server-rendered links to map application structure before scanning.
AJAX spider
Drives a headless browser to crawl modern JavaScript and single-page applications that the traditional spider can't reach.
Authentication support
Form, JSON, script-based, and HTTP authentication for scans that require an authenticated session.
Anti-CSRF token handling
Automatically refreshes CSRF tokens so the active scanner doesn't get blocked by token checks.
Why hosted
Same scanner. None of the operational tax.
No Java, no jar
ZAP is a Java app — VulnScanners runs the headless scanner so you don't install or maintain a JVM.
Static source IP
Scans originate from our fixed range — clients allowlist once and you avoid noisy WAF blocks from rotating residential IPs.
PDF report on every scan
Findings grouped by severity with full ZAP output preserved next to the client-ready deliverable.
Use cases
Where ZAP earns its keep
Web app security baseline
Run before launch or after a release to confirm common web-layer issues — injection, XSS, header, cookie, and config flaws — aren't shipping.
Recurring app monitoring
Re-scan client web properties periodically. Surface regressions like missing headers or newly exposed admin paths.
Authenticated assessments
Configure auth once and have ZAP exercise post-login surfaces — the parts of an app most static scans never reach.
From the blog
ZAP and web app guides
ZAP Active vs Passive Scan
What each scanner does, what each detects, and which one belongs in which phase.
SQLmap Tutorial
Confirming and exploiting SQL injection — the natural follow-up to a ZAP finding.
Nmap vs Nuclei vs ZAP
When each tool is the right answer — and how to layer all three.
Best Open-Source Vulnerability Scanners (2026)
Honest comparison — where ZAP fits, where it doesn't.
One credit. One ZAP scan. One PDF.
Credit packs start at $10. No subscription, no seats, no overages.