A Basic Penetration Test

A basic penetration test is made up of the following steps:


Use your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
If the applications supports multiple roles then do this for each of the roles.
For each role save the ZAP session in a different file and start a new session before you start using the next role.


Use the spider to find URLs that you have either missed or that are hidden. You can also use the AJAX Spider add-on to improve the results and crawl the dynamic-built links.
Explore any links found.

Forced Browse

Use the forced browse scanner to find unreferenced files and directories (requires “Forced Browse” add-on).

Active Scan

Use the active scanner to find basic vulnerabilities.

Manual Test

The above steps will find basic vulnerabilities.
However to find more vulnerabilities you will need to manually test the application.
See the OWASP Testing Guide for more details.
Future versions of the ZAP Desktop User Guide will describe how ZAP can be used to help this process.

See also

Getting Started for details of how to start using ZAP
Introduction the introduction to ZAP
https://www.owasp.org/wstg OWASP Testing Guide

Official Videos

ZAPCon 2022: Drive-By Pentesting with ZAP Scripts (38:19)