OWASP ZAP
ZAP (short for Zed Attack Proxy), formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
| Stable release | 2.14.0[1]
/ 12 October 2023 |
|---|---|
| Repository | |
| Written in | Java |
| Operating system | Linux, Windows, OS X |
| Available in | 25[2] languages |
| Type | Computer security |
| License | Apache Licence |
| Website | www |
It has been one of the most active Open Worldwide Application Security Project (OWASP) projects[3] and has been given Flagship status.[4]
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS.
It can also run in a daemon mode which is then controlled via a REST API.
ZAP was added to the ThoughtWorks Technology Radar on May 30, 2015 in the Trial ring.[5]
ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.[6]
As of August 1, 2023, the ZAP development team announced that ZAP was leaving the OWASP Foundation to join The Software Security Project, as a founding project [7][8] and henceforth will be simply called ZAP.
The OWASP Foundation announced this departure on the following day.[9]
Features
Some of the built in features include:
- An intercepting proxy server,
- Traditional and AJAX Web crawlers
- An automated scanner
- A passive scanner
- Forced browsing
- A fuzzer
- WebSocket support
- Scripting languages
- Plug-n-Hack support
It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel has been described as easy to use.[10]
An extensive list of all features can be found on https://www.zaproxy.org/docs/desktop/start/features/.
Awards
- One of the OWASP tools referred to in the 2015 Bossie award for The best open source networking and security software[11]
- Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers[12]
- Top Security Tool of 2013 as voted by ToolsWatch.org readers[13]
- Toolsmith Tool of the Year for 2011[14]
References
- "Zap 2.14.0". 12 July 2023.
- "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
- "Open Web Application Security Project (OWASP)". Openhub.net. Retrieved 3 November 2014.
- "OWASP Project Inventory". Owasp.org. Retrieved 14 September 2023.
- "TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future" (PDF). Thoughtworks.com. Retrieved 6 May 2015.
- Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
- "ZAP is Joining the Software Security Project". August 1, 2023.
- "Welcoming ZAP to the Software Security Project". July 31, 2023.
- https://owasp.org/blog/2023/08/02/zap-core-team-leaves-owasp
- Marcel Birkner (28 October 2013). "Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test". Retrieved 22 November 2016.
- InfoWorld (16 September 2015). "Bossie Awards 2015: The best open source networking and security software". Infoworld.com. Retrieved 21 September 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 16 January 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 3 November 2014.
- Russ McRee (February 2012). "HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP". Holisticinfosec.blogspot.com. Retrieved 3 November 2014.