OWASP ZAP
OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
| Stable release | 2.12.0
   / 27 October 2022 | 
|---|---|
| Repository | |
| Written in | Java | 
| Operating system | Linux, Windows, OS X | 
| Available in | 25[1] languages | 
| Type | Computer security | 
| License | Apache Licence | 
| Website | www | 
It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.[3]
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS.
It can also run in a daemon mode which is then controlled via a REST API.
ZAP was added to the ThoughtWorks Technology Radar on May 30, 2015 in the Trial ring.[4]
ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.[5]
Features
    
Some of the built in features include:
- An intercepting proxy server,
- Traditional and AJAX Web crawlers
- An automated scanner
- A passive scanner
- Forced browsing
- A fuzzer
- WebSocket support
- Scripting languages
- Plug-n-Hack support
It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel has been described as easy to use.[6]
Awards
    
- One of the OWASP tools referred to in the 2015 Bossie award for The best open source networking and security software[7]
- Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers[8]
- Top Security Tool of 2013 as voted by ToolsWatch.org readers[9]
- Toolsmith Tool of the Year for 2011[10]
See also
    
- Web application security
- Burp suite
- W3af
- Fiddler (software)
References
    
- "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
- "Open Web Application Security Project (OWASP)". Openhub.net. Retrieved 3 November 2014.
- "OWASP Project Inventory". Owasp.org. Retrieved 3 November 2014.
- "TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future" (PDF). Thoughtworks.com. Retrieved 6 May 2015.
- Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
- Marcel Birkner (28 October 2013). "Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test". Retrieved 22 November 2016.
- InfoWorld (16 September 2015). "Bossie Awards 2015: The best open source networking and security software". Infoworld.com. Retrieved 21 September 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 16 January 2015.
- "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 3 November 2014.
- Russ McRee (February 2012). "HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP". Holisticinfosec.blogspot.com. Retrieved 3 November 2014.