The OWASP Zed Attack Proxy (ZAP) is a free cross-platform web proxy testing tool used for finding vulnerabilities in web applications. ZAP is a close runner-up to Burp Suite in the web application proxy testing tool space and is a definite go-to when your budget may be low for licensing commercial products. ZAP is designed to be used by people with a wide range of security experience and as such is ideal for developers as well as functional testers who are new to penetration testing. With ZAP's API, scans can be automated and used within a developer's workflow to scan builds prior to production. ZAP has a number of different useful add-ons with a strong scanning engine that includes other proven testing tools within its engine, such as Dirbuster and SQLmap. In addition, ZAP has a graphical scripting language known as ZEST that records and replays requests similar to a type of macro. This recipe will introduce the basic ZAP features for web app security testing.