OWASP ZAP

Last updated
ZAP
Stable release
2.14.0 [1] / 12 October 2023;6 months ago (2023-10-12)
Repository
Written in Java
Operating system Linux, Windows, OS X
Available in25 [2] languages
Type Computer security
License Apache Licence
Website www.zaproxy.org

ZAP (short for Zed Attack Proxy), formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

Contents

It has been one of the most active Open Worldwide Application Security Project (OWASP) projects [3] and has been given Flagship status. [4]

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS.

It can also run in a daemon mode which is then controlled via a REST API.

ZAP was added to the ThoughtWorks Technology Radar on May 30, 2015 in the Trial ring. [5]

ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros. [6]

As of August 1, 2023, the ZAP development team announced that ZAP was leaving the OWASP Foundation to join The Software Security Project, as a founding project [7] [8] and henceforth will be simply called ZAP.

The OWASP Foundation announced this departure on the following day. [9]

Features

Some of the built in features include:

It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel has been described as easy to use. [10]

An extensive list of all features can be found on https://www.zaproxy.org/docs/desktop/start/features/.

Awards

See also

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

<span class="mw-page-title-main">SoapUI</span> Open-source web service testing application

SoapUI is an open-source web service testing application for Simple Object Access Protocol (SOAP) and representational state transfers (REST). Its functionality covers web service inspection, invoking, development, simulation and mocking, functional testing, load and compliance testing. A commercial version, ReadyAPI, which mainly focuses on features designed to enhance productivity, was also developed by Eviware Software AB. In 2011, SmartBear Software acquired Eviware.

Chris Sullo is a security expert known as the author of Nikto Web Scanner. He is specialized in web-security and pen-testing. He was the co-founder, CFO and Treasurer of Open Security Foundation, and creator of the RVAsec security conference. He currently works as a penetration testing specialist for the IT risk firm Focal Point Data Risk.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

<span class="mw-page-title-main">Yasca</span>

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite, and other formats. It is listed as an inactive project at the well-known OWASP security project, and also in a government software security tools review at the U.S Department of Homeland Security web site.

WebScarab is a web security application testing tool. It serves as a proxy that intercepts and allows people to alter web browser web requests and web server replies. WebScarab also may record traffic for further review.

w3af Open-source web application security scanner

w3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities for use in penetration testing engagements. The scanner offers a graphical user interface and a command-line interface.

<span class="mw-page-title-main">Tails (operating system)</span> Linux distribution for anonymity and privacy

Tails, or "The Amnesic Incognito Live System", is a security-focused Debian-based Linux distribution aimed at preserving Internet privacy and anonymity. It connects to the Internet exclusively through the anonymity network Tor. The system is designed to be booted as a live DVD or live USB and never writes to the hard drive or SSD, leaving no digital footprint on the machine unless explicitly told to do so. It can also be run as a virtual machine, with some additional security risks.

<span class="mw-page-title-main">Kali Linux</span> Debian-based Linux distribution for penetration testing

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.The software is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They can introduce a performance degradation without proper configuration and tuning from Cyber Security specialist. However, most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

Milton Smith is an American computer security application developer, researcher, and writer. Smith is best known for his role leading Java platform security at Oracle during a period of high-profile security incidents in the fall of 2012. Due to the climate around Java security, in 2013 Smith was invited to present by Black Hat leadership in a closed session under Non-Disclosure Agreement to top industry leaders. In the same year Smith established the first ever full security track at a software developers conference, JavaOne, Oracle's premier conference for Java software developers in San Francisco, California(USA).

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

<span class="mw-page-title-main">RSS Guard</span> Free and open-source news aggregator

RSS Guard is a free and open-source news aggregator for web feeds and podcasts. It is written in C++ and uses Qt, which allows it to fit with the look and feel of different operating systems while remaining cross-platform. It includes a file downloader, advanced network proxy configuration, and supports external media viewing tools.

<span class="mw-page-title-main">DivestOS</span> Android-based mobile operating system

DivestOS is an operating system based on the Android mobile platform. It is a soft fork of LineageOS that aims to increase security and privacy with support for end-of-life devices. As much as possible, it removes unnecessary proprietary Android components and includes only free-software.

<span class="mw-page-title-main">Burp Suite</span> Web security software

Burp Suite is a software security application used for penetration testing of web applications. Both a free and a paid version of the software are available. The software is developed by the company PortSwigger. The suite includes tools such as a proxy server, an indexing robot, an intrusion tool, a vulnerability scanner and an HTTP repeater.

References

  1. "Zap 2.14.0". 12 July 2023.
  2. "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
  3. "Open Web Application Security Project (OWASP)". Openhub.net. Retrieved 3 November 2014.
  4. "OWASP Project Inventory". Owasp.org. Retrieved 14 September 2023.
  5. "TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future" (PDF). Thoughtworks.com. Retrieved 6 May 2015.
  6. Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
  7. "ZAP is Joining the Software Security Project". August 1, 2023.
  8. "Welcoming ZAP to the Software Security Project". July 31, 2023.
  9. "ZAP Core Team to move to Linux Foundation | OWASP Foundation".
  10. Marcel Birkner (28 October 2013). "Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test" . Retrieved 22 November 2016.
  11. InfoWorld (16 September 2015). "Bossie Awards 2015: The best open source networking and security software". Infoworld.com. Retrieved 21 September 2015.
  12. "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 16 January 2015.
  13. "ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers". Toolswatch.org. Retrieved 3 November 2014.
  14. Russ McRee (February 2012). "HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP". Holisticinfosec.blogspot.com. Retrieved 3 November 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.