ZAP OWASP Web Interface
One-click deploy on Railway!
This repository provides a lightweight Node.js application with a modern web interface for interacting with the ZAPROXY API. Simply launch the app, enter the URL of the website you want to scan for vulnerabilities, and click the Start Scan button. Once the scan is complete, you can view the results directly in the web interface or download a detailed PDF report.
- The ZAP service requires at least 2GB of RAM to function properly, especially for scanning larger sites
- Railway's free tier (500MB) is not sufficient for most scans
- For production use, consider upgrading to Railway's Hobby or Pro plan
- Memory usage increases with site complexity and depth of scanning
Regular OWASP scans are essential for maintaining robust web security, especially for organizations aiming to comply with standards like ISO27001 or similar certifications.
This cloud-based setup allows you to perform OWASP scans effortlessly without needing to download or install any software. It is particularly beneficial for users operating in environments with strict security policies that restrict installing third-party software, such as ZAP. By running in the cloud, you gain convenience, and compliance with organizational security requirements.
Use one-click deploy template:
This template automatically launches the required ZAP docker container, then builds the web interface and connect it to the API, so you don't have to do anything. But, note that the ZAP service is memory-intensive - ensure your deployment environment has sufficient resources (minimum 2GB RAM) for reliable scanning, but for larger scans more memory might be required.
- Clone the project: Launch on Railway and eject watch how. Alternatively, clone this repo or fork it.
- Install dependencies:
pnpm install
- Rename
.env.templateto.env(edit if needed) - Start everything with one command:
pnpm local
pnpm local will:
- start or create a local
zaproxy/zap-stable:latestDocker container - build the app and run the existing server
- stop the local ZAP container again when you stop the command
Optional helper commands:
pnpm zap:startto start only the ZAP containerpnpm zap:stopto stop only the ZAP container
- Memory: Minimum 2GB RAM for the ZAP service
- Platform: Any system capable of running Docker containers
- Network: Stable internet connection for scanning external sites
- Simple React frontend with Mantine UI components
- Two-phase security scanning:
- Spider scan to map the application
- Active scan to find vulnerabilities
- Real-time scan progress monitoring
- PDF report generation with:
- Summary of findings
- Detailed vulnerability descriptions
- Solutions and references
- Risk-based categorization
- Optional PostgreSQL database integration:
- Automatic scan persistence when database is available
- Fallback to in-memory storage when no database is configured
- Completed scans are stored in the database and cleared from memory
- Railway-ready configuration
- Node.js >= v18.0.0
- pnpm >= v8.0.0
- A running ZAP OWASP Docker instance
pnpm localto automate the original local flow: start Docker ZAP, build, and run the app.cd frontend && pnpm devto start the React frontend only.cd backend && pnpm devto start the Node.js backend only.pnpm build && pnpm startto compile and run from compiled source.
https://google-gruyere.appspot.com/startfor a quick scanhttps://juice-shop.herokuapp.com/for a longer deeper scan
The project is organized as a monorepo containing both frontend and backend:
/
├── frontend/ # React frontend application
├── backend/ # Node.js/Express backend service
└── package.json # Root package.json for workspace management
- Clean and intuitive user interface.
- Download PDF report of scan result.
- Backend proxy to ZAP service.
- Optional database persistence for scan results.
- Scan scheduling system:
- Schedule scans to run at specific times
- Configure repeat patterns (daily, weekly, monthly)
- Automatic execution of scheduled scans
- Real-time monitoring of scheduled scan status
The application supports optional PostgreSQL database integration:
- Flexible Operation: Works seamlessly with or without a database connection
- Railway Integration: When deployed on Railway, the database is automatically configured
- Local Development: For local development, you can:
- Run without a database (scans stored in memory only)
- Connect to a local PostgreSQL instance
- Connect to a remote PostgreSQL database
This project uses Prisma ORM for database operations:
- Automatic Client Generation: The Prisma client is automatically generated during the build process
- Schema-First Approach: The database schema is defined in
backend/prisma/schema.prisma - Type Safety: Prisma provides type-safe database access with TypeScript integration
To enable database persistence, set the DATABASE_URL environment variable in your .env file:
DATABASE_URL=postgresql://username:password@localhost:5432/zapscans
When the application starts:
- It checks for a valid
DATABASE_URLenvironment variable - If found, it establishes a connection to the database
- If not found or connection fails, it continues to operate using in-memory storage
- Long-term Storage: Scan results persist across application restarts
- Memory Efficiency: Completed scans are removed from memory after being stored in the database
- Historical Data: Access to historical scan results even after server restarts
POST /api/v1/scans
Request:
{
"url": "https://example.com"
}Response:
{
"uuid": "...",
"status": "started",
"url": "https://example.com"
}GET /api/v1/scans/:uuid
Response:
{
"uuid": "...",
"status": number, // 0 for spider scanning, 1-100 for active scanning progress
"isComplete": boolean,
"results": [
{
"name": "...",
"risk": "High|Medium|Low|Informational",
"description": "...",
"solution": "...",
"reference": "...",
"url": "..."
}
],
"error": { // Only present if there's an error
"message": "...",
"code": "...",
"details": "..."
}
}POST /api/v1/reports/generate
Request:
{
"uuid": "..." // UUID of the scan
}Response: Binary PDF file with proper Content-Disposition header for download.
