OWASP ZAP scanner user agent
OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner used in penetration testing and CI security checks. Its requests can carry a ZAP user agent, though it can be configured to spoof a browser. Seeing ZAP means a security scan is hitting the site — ideally an authorised one.
What this means
OWASP ZAP is a widely used security testing tool that crawls a site and sends crafted requests to find vulnerabilities (injection, misconfiguration, and more). It is run by security teams during assessments and in automated CI pipelines.
Because ZAP actively probes, its traffic is not normal browsing: it enumerates paths, submits unusual inputs, and generates errors. Whether it is welcome depends entirely on whether the scan is authorised.
How ZAP identifies itself
ZAP requests can carry a user agent containing a ZAP token, which makes authorised scans easy to recognise. However, ZAP can also be configured to present a browser-like user agent, so the absence of a ZAP token does not rule out a scan.
Match on the ZAP token substring where present, and otherwise rely on scan-like behaviour. The OWASP ZAP project documents the tool and its configurable request options.
- Requests can carry a ZAP user-agent token
- ZAP can be set to spoof a browser user agent
- Behaviour (path enumeration, crafted inputs) is the durable signal
Authorised vs unsolicited scans
If the ZAP traffic is your own security testing, allowlist its source and exclude it from human analytics; the findings are the point. If a ZAP scan appears from an unknown source, treat it as reconnaissance: log it, rate-limit or block as policy dictates, and review what it touched.
Never count scanner requests as human visits — they distort engagement metrics and can mask the security signal you actually want to see.
How it appears in analytics and logs
A request carrying a ZAP user agent is an OWASP ZAP security scan. If it is your scheduled or CI scan, that is expected; an unexpected ZAP scan from an unknown source is reconnaissance and should be treated as a security event, not analytics.
Diagnostic use case
Recognise OWASP ZAP scans in logs, confirm whether they are your own authorised security testing, and treat unsolicited scanning as a security signal.
What WebmasterID can help detect
WebmasterID classifies ZAP-style scanner traffic server-side as automation/security probing and surfaces it on the bot-intelligence view, so scans are visible and never counted as human visits.
Common mistakes
- Counting security-scanner requests as human visits.
- Assuming all ZAP scans carry the ZAP token — it can be spoofed to a browser UA.
- Ignoring an unexpected ZAP scan instead of treating it as a security signal.
Privacy and accuracy notes
ZAP detection uses only the user agent and request behaviour. No human identity is profiled. WebmasterID records scanner traffic as a bot/security event, separate from human analytics.
Frequently asked questions
- Is an OWASP ZAP scan an attack?
- ZAP is a testing tool. If the scan is authorised security testing, it is expected. An unsolicited ZAP scan from an unknown source is reconnaissance and should be treated as a security event.
Related pages
- Security scanner user agents
The public web receives constant probing from security scanners — vulnerability tools, research crawlers, and internet-wide scanners. Some identify themselves clearly in the user agent; others mimic browsers. This page explains why probing is expected background noise and why reacting with blanket blocks can do more harm than good.
- Nuclei scanner user agent
Nuclei is a fast, template-based vulnerability scanner widely used in security testing and, by attackers, for mass probing. Its requests can carry a Nuclei user agent, though it is frequently configured to hide or randomise it. Seeing Nuclei means template-driven vulnerability scanning is hitting the site.
- masscan and port scanner traffic
masscan is a high-speed network port scanner. It and similar tools probe IP ranges to find open ports and services; when they touch a web port they typically send minimal or no HTTP user agent. Recognising this scanning is about request shape and network behaviour more than the user-agent string.
- Bot intelligence
Surface security-scanner and probing traffic, separate from humans.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.