OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
It is one of the most active Open Web Application Security Project (OWASP) projects[2] and has been given Flagship status.[3]
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS.
It can also run in a daemon mode which is then controlled via a REST API.
ZAP was added to the ThoughtWorks Technology Radar on May 30, 2015 in the Trial ring.[4]
ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.[5]
Features
Some of the built in features include:
- An intercepting proxy server,
- Traditional and AJAX Web crawlers
- An automated scanner
- A passive scanner
- Forced browsing
- A fuzzer
- WebSocket support
- Scripting languages
- Plug-n-Hack support
It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel has been described as easy to use.[6]
Awards
- One of the OWASP tools referred to in the 2015 Bossie award for The best open source networking and security software[7]
- Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers[8]
- Top Security Tool of 2013 as voted by ToolsWatch.org readers[9]
- Toolsmith Tool of the Year for 2011[10]
.jpg)
.jpg)
No comments:
Post a Comment