ZAP (software): Difference between revisions

ZAP by Checkmarx
	Logo including Checkmarx, since 2024
Stable release	2.15.0 / 7 May 2024; 7 months ago
Repository	github.com/zaproxy/zaproxy ;
Written in	Java
Operating system	Linux, Windows, macOS
Available in	25 languages
Type	Dynamic application security testing
License	Apache Licence
Website	www.zaproxy.org

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Inline

Latest revision as of 11:18, 22 October 2024

ZAP (Zed Attack Proxy) is a dynamic application security testing tool published under the Apache License. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including HTTPS encrypted traffic. It can also run in a daemon mode which is then controlled via a REST-based API.

History

ZAP was originally forked from Paros which was developed by Chinotec Technologies Company.^[2] Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.^[3]

The first release was announced on Bugtraq in September 2010, and became an OWASP project a few months later.^[4]^[5] In 2023, ZAP developers moved to the Linux Foundation, where they became a part of the Software Security Project.^[6]^[7]^[8] As of September 24, 2024, all of the main developers joined Checkmarx as employees and ZAP was rebranded as ZAP by Checkmarx.^[9]

ZAP was listed in the 2015 InfoWorld Bossie award for The best open source networking and security software.^[10]

Features

Some of the built in features include:

An intercepting proxy server,
Traditional and AJAX Web crawlers
An automated scanner
A passive scanner
Forced browsing
A fuzzer
WebSocket support
Scripting languages
Plug-n-Hack support

References

^ "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.
^ "ZAP – Paros Proxy". zaproxy.org. Retrieved 2024-10-18.
^ Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.
^ Wylie, Phillip; Crawley, Kim (2021). The pentester blueprint: starting a career as an ethical hacker (1 ed.). Indianapolis: John Wiley and Sons. p. 75. ISBN 978-1-119-68430-5.
^ "Bugtraq: The Zed Attack Proxy (ZAP) version 1.0.0". bugtraq. Retrieved 2024-10-18.
^ "ZAP Core Team to move to Linux Foundation | OWASP Foundation".
^ "ZAP is Joining the Software Security Project". August 1, 2023.
^ "Welcoming ZAP to the Software Security Project". July 31, 2023.
^ https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
^ "Bossie Awards 2015: The best open source networking and security software". InfoWorld. Retrieved 2024-10-18.

External links

Official website

[1] "OWASP ZAP". Crowdin.com. Retrieved 3 November 2014.

[2] "ZAP – Paros Proxy". zaproxy.org. Retrieved 2024-10-18.

[3] Bennetts, Simon (2014). Security Testing for Developers Using OWASP ZAP (Speech). JavaOne San Francisco 2014. Oracle. Event occurs at 23:30. Retrieved 2 June 2015.

[4] Wylie, Phillip; Crawley, Kim (2021). The pentester blueprint: starting a career as an ethical hacker (1 ed.). Indianapolis: John Wiley and Sons. p. 75. ISBN 978-1-119-68430-5.

[5] "Bugtraq: The Zed Attack Proxy (ZAP) version 1.0.0". bugtraq. Retrieved 2024-10-18.

[6] "ZAP Core Team to move to Linux Foundation | OWASP Foundation".

[7] "ZAP is Joining the Software Security Project". August 1, 2023.

[8] "Welcoming ZAP to the Software Security Project". July 31, 2023.

[9] ttps://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/

[10] "Bossie Awards 2015: The best open source networking and security software". InfoWorld. Retrieved 2024-10-18.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 1: / Line 1: @@
+{{Short description|Open-source web application security scanner}}
-{{multiple issues|
-{{COI|date=November 2015}}
-{{notability|Products|date=November 2015}}
-{{primary sources|date=November 2015}}
-}}
 {{Infobox software
-| name                   = OWASP ZAP
+| name                   = ZAP by Checkmarx
-| caption                = "OWASP Zed Attack Proxy"
+| logo                   = Logo of ZAP by Checkmarx.svg
+| logo_size              = 200px
-| latest release version = 2.8.0
+| logo_caption           = Logo including [[Checkmarx]], since 2024
-| latest release date    = {{release date and age|2019|6|7|df=yes}}
+| screenshot             = OWASP-ZAP.png
-| operating system       = [[Linux]], [[Windows]], [[OS X]]
-| status                 = Active
+| caption                =
+| latest release version = {{wikidata|property|P348}}
-| genre                  = [[Computer security]]
+| latest release date    = {{release date and age|2024|05|07|df=yes}}
+| operating system       = [[Linux]], [[Windows]], [[macOS]]
+| genre                  = [[Dynamic application security testing]]
 | license                = [[Apache Licence]]
-| website                = {{URL|https://www.owasp.org/index.php/ZAP}}
+| website                = {{URL|https://www.zaproxy.org/}}
+| language count         = 25<ref>{{cite web|url=https://crowdin.com/project/owasp-zap|title=OWASP ZAP|publisher=Crowdin.com|access-date=3 November 2014}}</ref>
-|logo size = 124px
+| programming language   = [[Java (programming language)|Java]]
-| language count = 25<ref>{{cite web|url=https://crowdin.com/project/owasp-zap|title=OWASP ZAP|publisher=Crowdin.com|accessdate=3 November 2014}}</ref>
-| programming language = [[Java (programming language)|Java]]
 }}
+'''ZAP''' ('''Zed Attack Proxy''') is a [[dynamic application security testing]] tool published under the [[Apache License]]. When used as a [[proxy server]] it allows the user to manipulate all of the traffic that passes through it, including [[HTTPS]] encrypted traffic. It can also run in a [[Daemon (computing)|daemon]] mode which is then controlled via a [[Representational state transfer|REST]]-based [[Application programming interface|API]].
-'''OWASP ZAP''' (short for '''Z'''ed '''A'''ttack '''P'''roxy) is an [[open-source software|open-source]] [[web application security scanner]].
-It is intended to be used by both those new to application security as well as professional penetration testers.
+== History ==
-It is one of the most active Open Web Application Security Project ([[OWASP]]) projects<ref>{{cite web|url=https://www.openhub.net/orgs/OWASP?view=portfolio_projects|title=Open Web Application Security Project (OWASP)|publisher=Openhub.net|accessdate=3 November 2014}}</ref> and has been given Flagship status.<ref>{{cite web|url=https://www.owasp.org/index.php/OWASP_Project_Inventory#Flagship_Projects|title=OWASP Project Inventory|publisher=Owasp.org|accessdate=3 November 2014}}</ref>
+ZAP was originally forked from Paros which was developed by Chinotec Technologies Company.<ref>{{Cite web |title=ZAP – Paros Proxy |url=https://www.zaproxy.org/docs/desktop/paros/ |access-date=2024-10-18 |website=zaproxy.org}}</ref> Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.<ref>{{cite speech |url=https://www.youtube.com/watch?v=_MmDWenz-6U&t=23m30s |time=23:30 |publisher=Oracle |event=JavaOne San Francisco 2014 |date=2014 |first=Simon |last=Bennetts |title=Security Testing for Developers Using OWASP ZAP |access-date=2 June 2015}}</ref>
+The first release was announced on [[Bugtraq]] in September 2010, and became an [[OWASP]] project a few months later.<ref>{{Cite book |last=Wylie |first=Phillip |title=The pentester blueprint: starting a career as an ethical hacker |last2=Crawley |first2=Kim |author-link2=Kim Crawley |date=2021 |publisher=John Wiley and Sons |isbn=978-1-119-68430-5 |edition=1 |location=Indianapolis |page=75}}</ref><ref>{{Cite web |title=Bugtraq: The Zed Attack Proxy (ZAP) version 1.0.0 |url=https://seclists.org/bugtraq/2010/Sep/38 |access-date=2024-10-18 |website=[[bugtraq]] |language=en}}</ref> In 2023, ZAP developers moved to the [[Linux Foundation]], where they became a part of the Software Security Project.<ref>{{cite web |title=ZAP Core Team to move to Linux Foundation &#124; OWASP Foundation |url=https://owasp.org/blog/2023/08/02/zap-core-team-leaves-owasp}}</ref><ref>{{cite web |date=August 1, 2023 |title=ZAP is Joining the Software Security Project |url=https://www.zaproxy.org/blog/2023-08-01-zap-is-joining-the-software-security-project/}}</ref><ref>{{cite web |date=July 31, 2023 |title=Welcoming ZAP to the Software Security Project |url=https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/}}</ref> As of September 24, 2024, all of the main developers joined [[Checkmarx]] as employees and ZAP was rebranded as ZAP by Checkmarx.<ref>https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/</ref>
-When used as a [[proxy server]] it allows the user to manipulate all of the traffic that passes through it, including traffic using [[HTTPS|https]].
+ZAP was listed in the 2015 [[InfoWorld]] Bossie award for The best open source networking and security software.<ref>{{Cite web |title=Bossie Awards 2015: The best open source networking and security software |url=https://www.infoworld.com/article/2238317/bossie-awards-2015-the-best-open-source-networking-and-security-software.html |access-date=2024-10-18 |website=InfoWorld |language=en-US}}</ref>
-It can also run in a [[Daemon (computing)|daemon]] mode which is then controlled via a [[Representational state transfer|REST]] [[Application programming interface|API]].
-ZAP was added to the [[ThoughtWorks]] Technology Radar in May 2015 in the Trial ring.<ref>{{cite web|url=http://assets.thoughtworks.com/assets/technology-radar-may-2015-en.pdf|format=PDF|title=TECHNOLOGY RADAR Our thoughts on the technology and trends that are shaping the future|publisher=Thoughtworks.com|access-date=6 May 2015}}</ref>
-ZAP is based on [[Paros]] penetration testing tool - according to Simon Bennetts the ZAP Project Lead, having forked the venerable Paros Proxy in 2010. <ref>{{cite web|url=https://youtube.com/watch?v=_MmDWenz-6U?list=WL&t=1422|title=this video has information in the description and at 23:30 he also mentions this in the presentation|publisher=Oracle Developers|access-date=2 June 2015}}</ref>
 ==Features==
 Some of the built in features include:
-Intercepting [[proxy server]],
+* An intercepting [[proxy server]],
-Traditional and [[Ajax (programming)|AJAX]] [[Web crawler]]s,
+* Traditional and [[Ajax (programming)|AJAX]] [[Web crawler]]s
-Automated scanner,
+* An automated scanner
-Passive scanner,
+* A passive scanner
-Forced browsing,
+* Forced browsing
+* A [[Fuzzing|fuzzer]]
-Fuzzer,
-[[WebSocket]] support,
+* [[WebSocket]] support
-[[Scripting language]]s, and
+* [[Scripting language]]s
-Plug-n-Hack support.
+* Plug-n-Hack support
-It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added.
-The GUI control panel is easy to use.<ref>{{cite web|url=https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/|title=Automated Security Testing Web Applications Using OWASP Zed Attack Proxy test |author=Marcel Birkner|accessdate=22 November 2016}}</ref>
-==Awards==
-* One of the [[OWASP]] tools referred to in the 2015 Bossie award for The best open source networking and security software<ref>{{cite web|url=http://www.infoworld.com/article/2982962/open-source-tools/bossie-awards-2015-the-best-open-source-networking-and-security-software.html#slide8|title=Bossie Awards 2015: The best open source networking and security software|author=InfoWorld|publisher=Infoworld.com|accessdate=21 September 2015}}</ref>
-* Second place in the Top Security Tools of 2014 as voted by ToolsWatch.org readers<ref>{{cite web|url=https://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/|title=ToolsWatch.org – The Hackers Arsenal Tools Portal » 2014 Top Security Tools as Voted by ToolsWatch.org Readers|publisher=Toolswatch.org|accessdate=16 January 2015}}</ref>
-* Top Security Tool of 2013 as voted by ToolsWatch.org readers<ref>{{cite web|url=https://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/|title=ToolsWatch.org – The Hackers Arsenal Tools Portal » 2013 Top Security Tools as Voted by ToolsWatch.org Readers|publisher=Toolswatch.org|accessdate=3 November 2014}}</ref>
-* Toolsmith Tool of the Year for 2011<ref>{{cite web|url=http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html|title=HolisticInfoSec: 2011 Toolsmith Tool of the Year: OWASP ZAP|author=Russ McRee|publisher=Holisticinfosec.blogspot.com|accessdate=3 November 2014}}</ref>
 ==See also==
 {{Portal|Free and open-source software}}
@@ Line 58: / Line 43: @@
 * [[W3af]]
 * [[Fiddler (software)]]
+== Further reading ==
+* {{Cite book |last=Soper |first=Ryan |title=Zed Attack Proxy Cookbook |last2=N Torres |first2=Nestor |last3=Almoailu |first3=Ahmed |date=10 March 2023 |publisher=[[Packt Publishing]] |isbn=9781801810159}}
 ==References==
@@ Line 63: / Line 51: @@
 ==External links==
-* [https://www.owasp.org/index.php/ZAP Official website]
+* [https://www.zaproxy.org/ Official website]
-[[Category:Computer network security]]
 [[Category:Computer security software]]
 [[Category:Cross-platform free software]]
 [[Category:Free security software]]
-[[Category:Injection exploits]]
 [[Category:Java platform software]]
-[[Category:Web security exploits]]
-[[Category:Web development software]]