OWASP ZAP Online Scan

Website and web application vulnerability scanner

ZAP Scanner Highlights

Industry-trusted web application vulnerability scanner.

XSS and other OWASP Top 10 security risks.

Crawls traditional html websites and modern javascript single-page-applications (SPAs) built with React, Angular, or Vue.JS.

Discover vulnerable JavaScript libraries.

More thoroughly scan your APIs by providing an OpenAPI template.

The HostedScan Platform Advantage

Always up-to-date ZAP scanner installation.

Authenticated web application scans using a recorded login.

Risk management platform to track vulnerabilities and reduce noise.

Continuous monitoring with scheduled scans.

Automatic alerts for new vulnerabilities.

OWASP Security Scan Details

HostedScan provides two OWASP security scans to meet the needs of every user. Both scans use the OWASP ZAP (Zaproxy) scanner , a leading open source project used by many large players in the security industry. These scans test websites and web apps for OWASP Top 10 risks and more.

The Passive Scan

Loads the pages of a website and checks for vulnerabilities such as cross-domain misconfigurations, insecure cookies, and vulnerable js dependencies (see table below for full list). This scan completes within several minutes.

The Active Scan

Submits forms and makes requests to the web application to test for vulnerabilities such as SQL injection, remote command execution, and cross-site scripting (see table below for full list). The active scan is not destructive, but it may send thousands of requests to a web application while thoroughly testing for all vulnerabilities. Make sure you have permission from the application owner to run this scan. This scan may take up to several hours, depending on the scanned target.

Scan CapabilityPassive ScanActive Scan
Application Error Disclosure
Big Redirect Detected (Potential Sensitive Information Leak)
Cookie Poisoning
Cross-Domain JavaScript Source File Inclusion
Information Disclosure - Debug Error Messages
Information Disclosure - Sensitive Information in HTTP Referrer Header
Information Disclosure - Sensitive Information in URL
Information Disclosure - Suspicious Comments
PII Disclosure
Private IP Disclosure
Username Hash Found
X-Backend-Server Header Information Leak
X-ChromeLogger-Data (XCOLD) Header Information Leak
X-Debug-Token Information Leak
.env Information Leak
.htaccess Information Leak
ELMAH Information Leak
Spring Actuator Information Leak
Trace.axd Information Leak
Scan CapabilityPassive ScanActive Scan
Charset Mismatch
Content-Type Header Missing
Cookie No HttpOnly Flag
Cookie Without Secure Flag
Cross-Domain Misconfiguration
Directory Browsing
HTTP Server Response Header
Loosely Scoped Cookie
Modern Web Application
Re-examine Cache-control Directives
Retrieved from Cache
Secure Pages Include Mixed Content
Stats Passive Scan Rule
Strict-Transport-Security Header
X-AspNet-Version Response Header
Weak Authentication Method
Directory Browsing (Active mode only)
Scan CapabilityPassive ScanActive Scan
SQL Injection
XPath Injection
XSLT Injection
Remote Code Execution - CVE-2012-1823
Remote File Inclusion
Remote OS Command Injection
Server Side Code Injection
Server Side Template Injection
Source Code Disclosure - /WEB-INF folder
Source Code Disclosure - CVE-2012-1823
Parameter Tampering
Path Traversal
Generic Padding Oracle
Log4Shell
Spring4Shell
Scan CapabilityPassive ScanActive Scan
Cross Site Scripting (Persistent)
Cross Site Scripting (Persistent) - Prime
Cross Site Scripting (Persistent) - Spider
Cross Site Scripting (Reflected)
User Controllable HTML Element Attribute (Potential XSS)
User Controllable JavaScript Event (XSS)
Scan CapabilityPassive ScanActive Scan
Open Redirect
Reverse Tabnabbing
External Redirect
HTTP to HTTPS Insecure Transition in Form Post
HTTPS to HTTP Insecure Transition in Form Post
Scan CapabilityPassive ScanActive Scan
Heartbleed OpenSSL Vulnerability (Indicative)
Heartbleed OpenSSL Vulnerability
Hash Disclosure
Insecure JSF ViewState
Session ID in URL Rewrite
Viewstate
Vulnerable JS Library (Powered by Retire.js)
CRLF Injection
GET for POST
XML External Entity Attack

Trusted by teams who require high-quality scans at speed

BbAmericas
Porsche
ExpediaGroup
WeMakeApps
SibylSoft
Luminary
CoinMe
Appetize
WonderProxy
Median
TaxiCaller
Yamaha
UniversityOfOxford
BbAmericas
Porsche
ExpediaGroup
WeMakeApps
SibylSoft
Luminary
CoinMe
Appetize
WonderProxy
Median
TaxiCaller
Yamaha
UniversityOfOxford
UniversityOfOxford
Yamaha
TaxiCaller
Median
WonderProxy
Appetize
CoinMe
Luminary
SibylSoft
WeMakeApps
ExpediaGroup
Porsche
BbAmericas
UniversityOfOxford
Yamaha
TaxiCaller
Median
WonderProxy
Appetize
CoinMe
Luminary
SibylSoft
WeMakeApps
ExpediaGroup
Porsche
BbAmericas

See the Power of HostedScan

HostedScan enables companies to meet compliance and security goals.