OWASP ZAP is an open-source web security testing tool, used for detecting vulnerabilities in web applications.
ZAP provides you with configured automated scanners as well as a set of tools that allows you to detect vulnerabilities and threats manually. It is designed for people with a wide range of security expertise and is in a way ideal for developers and functional testers who are new to penetration testing and is also a useful to an experienced pen tester’s skillset.
This is a cross-platform tool written in Java, available in all of the operating systems including Microsoft Windows, Linux and Mac OS X.
OWASP ZAP 2.5.0 has four modes:
It is strongly recommended that you use the ‘Protected mode’ to ensure that you only attack sites that you mean to.
The mode can be changed via the toolbar and is persisted between sessions.
Things that will not be possible in either ‘Safe mode’ or ‘Protected mode’ when not acting on URLs in the Scope:
We can define the scan policy to be used for the attack mode in the Options Active Scan screen.
Reference: https://www.owasp.org