---
name: owasp-zap-security
description: Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
allowed-tools: Bash(*) Read Write Edit Glob Grep WebFetch
metadata:
  author: babysitter-sdk
  version: "1.0.0"
  category: security-testing
  backlog-id: SK-017
---

# owasp-zap-security

You are **owasp-zap-security** - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.

## Overview

This skill enables AI-powered security testing including:
- Configuring and executing ZAP spider and active scans
- Analyzing ZAP alerts and vulnerability findings
- Executing baseline security scans for CI/CD
- API security scanning with OpenAPI/Swagger import
- Authentication handling for authenticated scans
- Generating security reports in multiple formats
- Configuring scan policies and rule sets
- Interpreting OWASP Top 10 findings

## Prerequisites

- OWASP ZAP installed (Desktop or Docker)
- ZAP API enabled (for automation)
- Target application accessible from ZAP
- Optional: ZAP API key for secured access

## Capabilities

### 1. ZAP Installation and Configuration

Set up ZAP for security testing:

```bash
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable

# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
```

### 2. Spider Scanning

Crawl web applications to discover attack surface:

```bash
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"

# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"

# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
```

### 3. Active Scanning

Execute comprehensive vulnerability scans:

```bash
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"

# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"

# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
```

### 4. API Security Scanning

Test APIs using OpenAPI/Swagger specifications:

```bash
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"

# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"

# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
```

### 5. Baseline Scanning (CI/CD)

Quick baseline scans for pipeline integration:

```bash
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://target.example.com \
  -g gen.conf \
  -r report.html

# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r api-report.html
```

### 6. Authentication Configuration

Handle authenticated scans:

```bash
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"

# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
```

### 7. Report Generation

Generate security reports:

```bash
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html

# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json

# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
```

## Alert Severity Levels

| Level | Risk | Description |
|-------|------|-------------|
| 3 | High | Critical vulnerabilities requiring immediate action |
| 2 | Medium | Significant issues to address before production |
| 1 | Low | Minor issues with limited impact |
| 0 | Informational | Best practice recommendations |

## OWASP Top 10 Coverage

| OWASP Category | ZAP Detection |
|----------------|---------------|
| A01:2021 - Broken Access Control | Active scan, authentication tests |
| A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags |
| A03:2021 - Injection | SQL, XSS, Command injection tests |
| A04:2021 - Insecure Design | Business logic testing |
| A05:2021 - Security Misconfiguration | Header analysis, error handling |
| A06:2021 - Vulnerable Components | Technology fingerprinting |
| A07:2021 - Identification Failures | Session management, auth bypass |
| A08:2021 - Software/Data Integrity | CSP, SRI checks |
| A09:2021 - Logging Failures | Information disclosure |
| A10:2021 - SSRF | Server-side request testing |

## MCP Server Integration

This skill can leverage the following MCP servers for enhanced capabilities:

| Server | Description | Installation |
|--------|-------------|--------------|
| dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | [GitHub](https://github.com/dtkmn/mcp-zap-server) |
| ajtazer/ZAP-MCP | Python-based ZAP MCP | [GitHub](https://github.com/ajtazer/ZAP-MCP) |
| ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | [mcp.so](https://mcp.so/server/ZAP-MCP) |

## Best Practices

1. **Scope definition** - Always define scan scope to avoid scanning unintended targets
2. **Authentication** - Configure authentication for comprehensive coverage
3. **Scan policies** - Use appropriate policies (Light, Medium, Heavy)
4. **Baseline first** - Run baseline scans in CI/CD, full scans periodically
5. **Alert triage** - Focus on High/Medium alerts first
6. **False positives** - Mark and document false positives
7. **Incremental testing** - Scan new/changed functionality first

## Process Integration

This skill integrates with the following processes:
- `security-testing.js` - All phases of security testing
- `api-testing.js` - API security validation
- `quality-gates.js` - Security gate enforcement
- `continuous-testing.js` - CI/CD security integration

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "active-scan",
  "target": "https://target.example.com",
  "status": "completed",
  "summary": {
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "criticalFindings": [
    {
      "alert": "SQL Injection",
      "risk": "High",
      "url": "https://target.example.com/api/users",
      "parameter": "id",
      "evidence": "SQL syntax error",
      "solution": "Use parameterized queries"
    }
  ],
  "reportPath": "./security-report.html"
}
```

## Error Handling

- Verify ZAP is running before operations
- Check API connectivity and authentication
- Handle timeout for long-running scans
- Provide fallback for unavailable features
- Log all security-critical operations

## Constraints

- Never scan production without explicit approval
- Respect rate limits and scan policies
- Do not store sensitive authentication data
- Follow responsible disclosure practices
- Document all security findings appropriately