Launching ZAP and Initial Configuration

Starting ZAP for the first time presents several configuration options that impact your scanning experience. Launch ZAP from your applications menu or command line, depending on your installation method. The session persistence dialog appears first—select "Yes, I want to persist this session" for learning purposes, as this saves your scan results for later review. Choose a meaningful name for your session, such as "First_Juice_Shop_Scan," making it easy to identify later.

The main ZAP window opens with the Quick Start tab visible by default. This tab provides the fastest path to your first scan, though understanding what happens behind the scenes proves valuable. The URL field awaits your target application address. Before entering the URL, ensure your vulnerable application is running and accessible. Open a regular browser and navigate to http://localhost:3000 to confirm Juice Shop loads correctly.

ZAP operates as an intercepting proxy, requiring browser configuration to route traffic through ZAP. Modern versions of ZAP can launch pre-configured browsers automatically. Click the "Manual Explore" button and select "Launch Browser" to open a Firefox instance already configured to use ZAP as its proxy. This browser displays a HUD (Heads Up Display) overlay providing real-time security information. Alternatively, manually configure your existing browser to use localhost:8080 as an HTTP proxy.