Running Your First Automated Scan

With manual exploration complete, initiating an automated scan becomes straightforward. Return to ZAP's main window and locate the target URL in the Sites tree. Right-click on the root URL (http://localhost:3000) and select "Attack > Active Scan" from the context menu. The Active Scan dialog appears with various options—accept the defaults for your first scan to understand baseline behavior.

The active scan begins immediately, with progress visible in the Active Scan tab. ZAP systematically tests each discovered page and parameter for vulnerabilities. The progress bar shows overall completion percentage, while detailed progress appears below. Initial scans of small applications typically complete within 10-30 minutes, though complex applications may require hours. Watch the scan progress to understand how ZAP methodically tests different vulnerability categories.

During active scanning, ZAP sends thousands of requests to your target application, attempting to trigger vulnerabilities. The History tab shows these requests in real-time, displaying different payloads ZAP uses to test for issues like SQL injection, cross-site scripting, and path traversal. Observing these requests helps understand how vulnerabilities are discovered and why security testing generates significant traffic.