ZAP (software)

Last updated
ZAP by Checkmarx
Stable release
2.15.0 / 7 May 2024;5 months ago (2024-05-07)
Repository
Written in Java
Operating system Linux, Windows, macOS
Available in25 [1] languages
Type Dynamic application security testing
License Apache Licence
Website www.zaproxy.org

ZAP (Zed Attack Proxy) is a dynamic application security testing tool published under the Apache License. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including HTTPS encrypted traffic. It can also run in a daemon mode which is then controlled via a REST-based API.

Contents

History

ZAP was originally forked from Paros which was developed by Chinotec Technologies Company. [2] Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros. [3]

The first release was announced on Bugtraq in September 2010, and became an OWASP project a few months later. [4] [5] In 2023, ZAP developers moved to the Linux Foundation, where they became a part of the Software Security Project. [6] [7] [8] As of September 24, 2024, all of the main developers joined Checkmarx as employees and ZAP was rebranded as ZAP by Checkmarx. [9]

ZAP was listed in the 2015 InfoWorld Bossie award for The best open source networking and security software. [10]

Features

Some of the built in features include:

See also

Further reading

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">Reverse proxy</span> Type of proxy server

In computer networks, a reverse proxy or surrogate server is a proxy server that appears to any client to be an ordinary web server, but in reality merely acts as an intermediary that forwards the client's requests to one or more ordinary web servers. Reverse proxies help increase scalability, performance, resilience, and security, but they also carry a number of risks.

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

<span class="mw-page-title-main">Yasca</span>

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite, and other formats. It is listed as an inactive project at the well-known OWASP security project, and also in a government software security tools review at the U.S Department of Homeland Security web site.

<span class="mw-page-title-main">WebScarab</span> Web security tool

WebScarab is a web security application testing tool. It serves as a proxy that intercepts and allows people to alter web browser web requests and web server replies. WebScarab also may record traffic for further review.

<span class="mw-page-title-main">Tor (network)</span> Free and open-source anonymity network based on onion routing

Tor is a free overlay network for enabling anonymous communication. Built on free and open-source software and more than seven thousand volunteer-operated relays worldwide, users can have their Internet traffic routed via a random path through the network.

<span class="mw-page-title-main">Cherokee (web server)</span> Open source web server software application

Cherokee is an open-source cross-platform web server that runs on Linux, BSD variants, Solaris, OS X, and Windows. It is a lightweight, high-performance web server/reverse proxy licensed under the GNU General Public License. Its goal is to be fast and fully functional yet still light. Major features of Cherokee include a graphical administration interface named cherokee-admin, and a modular light-weight design.

<span class="mw-page-title-main">Tails (operating system)</span> Linux distribution for anonymity and privacy

Tails, or "The Amnesic Incognito Live System", is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity against surveillance. It connects to the Internet exclusively through the anonymity network Tor. The system is designed to be booted as a live DVD or live USB and never writes to the hard drive or SSD, leaving no digital footprint on the machine unless explicitly told to do so. It can also be run as a virtual machine, with some additional security risks.

<span class="mw-page-title-main">Opa (programming language)</span>

Opa is an open-source programming language for developing scalable web applications.

<span class="mw-page-title-main">Kali Linux</span> Debian-based Linux distribution for penetration testing

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. The software is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories. The tagline of Kali Linux and BackTrack is "The quieter you become, the more you are able to hear", which is displayed on some backgrounds, see this example.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. Most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

<span class="mw-page-title-main">Endian Firewall</span> Linux distribution

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

<span class="mw-page-title-main">DivestOS</span> Android-based operating system

DivestOS is an open source, Android-based operating system. It is a soft fork of LineageOS that aims to increase security and privacy with support for end-of-life devices. It removes many proprietary blobs and pre-installs open source apps.

<span class="mw-page-title-main">Burp Suite</span> Web security software

Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications. It was initially developed in 2003-2006 by Dafydd Stuttard to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.

References

  1. "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
  2. "ZAP – Paros Proxy". zaproxy.org. Retrieved 2024-10-18.
  3. Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
  4. Wylie, Phillip; Crawley, Kim (2021). The pentester blueprint: starting a career as an ethical hacker (1 ed.). Indianapolis: John Wiley and Sons. p. 75. ISBN   978-1-119-68430-5.
  5. "Bugtraq: The Zed Attack Proxy (ZAP) version 1.0.0". bugtraq . Retrieved 2024-10-18.
  6. "ZAP Core Team to move to Linux Foundation | OWASP Foundation".
  7. "ZAP is Joining the Software Security Project". August 1, 2023.
  8. "Welcoming ZAP to the Software Security Project". July 31, 2023.
  9. https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
  10. "Bossie Awards 2015: The best open source networking and security software". InfoWorld. Retrieved 2024-10-18.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.