How Do You Install and Configure OWASP ZAP?

Problem scenario
You want to install OWASP ZAP (aka Open Web Application Security Project's Zed Attack Proxy). You want to test it out. How do you do this on Linux?

Note: It is advisable to only install ZAP on OSes that have JREs that have up-to-date patches with regular maintenance. If you need assistance installing the JRE, see this posting.


  1. Gain access to a Linux server with a desktop GUI. If you need assistance with this, see this posting.
  2. Open a terminal. Run this: curl -Ls > /tmp/ZAP_2.9.0_Linux.tar.gz
  3. cd /tmp
    tar -zxvf ZAP_2.9.0_Linux.tar.gz
    sudo mv /tmp/ZAP_2.9.0 /opt/
    cd /opt
  4. Now a GUI pop up should appear.
  5. Choose "Yes" to the question about persist.
  6. In the "Manage Add-ons" section, click "Update All".
  7. In a new Session window, click on the "Sites" tab.
  8. In the "Sites" tab click on "Sites" underneath "Contexts."
  9. Click on the "Spider" tab.
  10. Click on the "Ne…" (or "New Spider" button).
  11. Enter a URL to test. Only test URLs you are in control of (e.g., you own web server).
  12. Click "Start Scan".

Leave a comment

Your email address will not be published. Required fields are marked *