OWASP ZAP
OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
Stable release | 2.9.0
/ 17 January 2020 |
---|---|
Repository | |
Written in | Java |
Operating system | Linux, Windows, OS X |
Available in | 25[1] languages |
Type | Computer security |
License | Apache Licence |
Website | www |
It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.[3]
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
It can also run in a daemon mode which is then controlled via a REST API.
ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring.[4]
ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.[5]
Features
Some of the built in features include: Intercepting proxy server, Traditional and AJAX Web crawlers, Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel is easy to use.[6]
Awards
- One of the OWASP tools referred to in the 2015 Bossie award for The best open source networking and security software[7]
- Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers[8]
- Top Security Tool of 2013 as voted by ToolsWatch.org readers[9]
- Toolsmith Tool of the Year for 2011[10]
See also
- Web application security
- Burp suite
- W3af
- Fiddler (software)
References
- "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
- "Open Web Application Security Project (OWASP)". Openhub.net. Retrieved 3 November 2014.
- "OWASP Project Inventory". Owasp.org. Retrieved 3 November 2014.
- "TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future" (PDF). Thoughtworks.com. Retrieved 6 May 2015.
- Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
- Marcel Birkner. "Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test". Retrieved 22 November 2016.
- InfoWorld. "Bossie Awards 2015: The best open source networking and security software". Infoworld.com. Retrieved 21 September 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 16 January 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 3 November 2014.
- Russ McRee. "HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP". Holisticinfosec.blogspot.com. Retrieved 3 November 2014.