OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner designed to assist developers and security professionals in identifying vulnerabilities and security issues in web applications. It is suitable for organizations of all sizes, from small startups to large enterprises. Web developers, security analysts, security testers, IT managers, and software engineers across various industries rely on OWASP ZAP to ensure the security of their web applications.

Key Features

ZAP in Ten: A series of short videos (~10 mins each) about different ZAP features, produced in collaboration with All Day DevOps.

ZAP Marketplace: Contains ZAP add-ons contributed by the community, extending the functionalities of ZAP. Add-ons can be browsed and downloaded from within ZAP or imported manually.

Automate with ZAP: ZAP offers a range of options for security automation, with documentation available to help users get started with automating security testing.

ZAP Desktop UI: Features include Menu Bar, Toolbar, Tree Window, Workspace Window, Information Window, and Footer. Additional tabs are accessible via right-hand tabs with green '+' icons, and context-sensitive right-click options are available throughout the user interface.

Manual Exploration: Combines spiders and manual exploration for more effective vulnerability assessment. Users can explore all pages of a web application, including hidden pages, while ZAP passively scans requests and responses for vulnerabilities. Alerts are recorded for potential vulnerabilities found during exploration.

ZAP Advanced Features: The desktop version of ZAP offers a wide range of features that may not be immediately apparent. Additional tabs can be accessed by right-clicking and pinning them. The ZAP Marketplace provides various add-ons for additional functionality. Automation options include Docker Packaged Scans, GitHub Actions, and API and Daemon mode.

ZAP User Guide: Detailed instructions, references, instructional videos, and tips and tricks for using ZAP. Covers ZAP's capabilities, API, and command-line programming. Available online and accessible via the ZAP Desktop UI.

WebSockets: Allows inspection of WebSocket communication, enabling the analysis of WebSocket messages exchanged between the client and server. Provides visibility into the WebSocket protocol and helps identify potential security vulnerabilities. Useful for testing and securing applications that rely on WebSocket technology.

Windows WebDrivers: Includes Windows WebDrivers for Firefox and Chrome, enabling the automation of web browsers on the Windows operating system. Allows seamless integration with popular web browsers for efficient scanning and testing.

Zest - Graphical Security Scripting Language: A graphical security scripting language enhancing OWASP ZAP's macro language capabilities. Provides a user-friendly interface for creating security scripts, offering an intuitive and visual way to develop complex security testing scenarios.