ZAP (the “Zed Attack Proxy”) is basically an open-source version of Burp Suite.
Equivalent Burp Suite and OWASP ZAP functionality
Burp Suite ↔ OWASP ZAP equivalencies:
Link to original
Burp Suite OWASP ZAP Site Map Site Tree HTTP History History Scope Context Interceptor Break Repeater Request Editor Intruder Fuzzer Spider Spider Scanner Active Scan BApp Store Add On Marketplace
While ZAP has a very different interface than Burp Suite, you should basically approach using it in the same fashion.
The ZAP browser
At least on Kali Linux, ZAP can launch a pre-configured Firefox session using web automation; thus, like Burp Suite, there’s really no need to configure a local proxy (and probably every reason not to — keep your profiles separate!).
One advantage of the ZAP browser is that it automatically passes session cookies back to ZAP!
One reason not to use ZAP’s browser, however, is that the user-agent is less generic than Burp Suite’s.
Automated scans
How to spider websites and APIs with OWASP ZAP
Automated scans can be fired off using the “Automated Scan” button on the ZAP Quick Start tab.
The “traditional spider” option spiders the website as you would expect, while the “AJAX spider” uses a headless browser to spider AJAX content.
Link to original
Path enumeration
How to enumerate URL paths with OWASP ZAP
ZAP has gobuster-like functionality called “Forced Browse”. The wordlist can be configured in Tools → Options → Forced Browse; enumeration can be started by right-clicking on the target site and choosing Site → Force Browse Site.
Link to original