USING A SECURITY ANALYSIS TOOL TO IDENTIFY CRITICAL VULNERABILITIES IN WEB APPLICATIONS

Abstract

The article examines the features and practical applications of the OWASP Zed Attack Proxy tool in web application penetration testing, emphasizing the need to analyze its capabilities and role in modern approaches to information security assessment. The study investigates the principles of ZAP’s proxy mechanism, which allows the interception and analysis of HTTP(S) traffic and the construction of a site map based on observed requests and responses. Methods of passive scanning are analyzed, which enable security assessment without affecting server behavior, including the identification of missing or improperly configured HTTP headers, issues related to cookies, and other technical configuration shortcomings. The use of active scanning is also examined, involving controlled tests for common technical vulnerabilities, with an emphasis on performing such operations only in dedicated testing environments. Manual analysis tools are described, including the request editor, traffic history viewer, and basic fuzzing functionality, which allow researchers to evaluate application behavior under various input conditions. Additionally, the paper considers the possibilities of extending ZAP’s functionality through optional add-ons and using its API to automate routine tasks within predefined testing scenarios. The limitations of the tool are outlined, particularly the challenges of detecting complex logical vulnerabilities that require expert manual investigation. The findings indicate that OWASP ZAP is suitable for technical audits, initial security evaluations, and educational purposes, while highlighting the necessity of combining automated scanning with manual analysis when assessing complex web applications.