OWASP ZAP

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

OWASP ZAP
Stable release
2.9.0 / 17 January 2020 (2020-01-17)
Repository
Written inJava
Operating systemLinux, Windows, OS X
Available in25[1] languages
TypeComputer security
LicenseApache Licence
Websitewww.zaproxy.org

It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.[3]

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

It can also run in a daemon mode which is then controlled via a REST API.

ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring.[4]

ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.[5]

Features

Some of the built in features include: Intercepting proxy server, Traditional and AJAX Web crawlers, Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel is easy to use.[6]

Awards

  • One of the OWASP tools referred to in the 2015 Bossie award for The best open source networking and security software[7]
  • Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers[8]
  • Top Security Tool of 2013 as voted by ToolsWatch.org readers[9]
  • Toolsmith Tool of the Year for 2011[10]
gollark: "Whitney-style"?
gollark: * explicitly
gollark: I think it does dereferences and such quite expressively.
gollark: And stronger type systems/more expressive languages can allow you to more confidently refactor.
gollark: Safer languages can save you from *particular* problems which can lead to dark bee god invocation in C, and which may not even be some big structure problem but just forgetting to `free` or something something buffer overflows.

See also

References

  1. "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
  2. "Open Web Application Security Project (OWASP)". Openhub.net. Retrieved 3 November 2014.
  3. "OWASP Project Inventory". Owasp.org. Retrieved 3 November 2014.
  4. "TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future" (PDF). Thoughtworks.com. Retrieved 6 May 2015.
  5. Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
  6. Marcel Birkner. "Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test". Retrieved 22 November 2016.
  7. InfoWorld. "Bossie Awards 2015: The best open source networking and security software". Infoworld.com. Retrieved 21 September 2015.
  8. "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 16 January 2015.
  9. "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 3 November 2014.
  10. Russ McRee. "HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP". Holisticinfosec.blogspot.com. Retrieved 3 November 2014.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.