Web Application Vulnerability Testing
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. At its heart ZAP is an intercepting proxy. You need to configure your browser to connect to the web application you wish to test through ZAP. If required you can also configure ZAP to connect through another proxy – this is often necessary in a corporate environment. Once you have configured ZAP as your browser’s proxy then try to connect to the web application you will be testing. When you have successfully connected to your application via your browser then have a look at ZAP again. You should now see one or more lines in the Sites and History tabs
ZAP 2.6.0 is now available
Some of the most significant changes include:
Web Application Vulnerability Testing: ZAProxy Some of ZAP’s functionality:
Intercepting Proxy
Traditional and AJAX spiders
Automated scanner
Passive scanner
Forced browsing
Fuzzer
Dynamic SSL certificates
Smartcard and Client Digital Certificates support
Web sockets support
Support for a wide range of scripting languages
Plug-n-Hack support
Authentication and session support
Powerful REST based API
Automatic updating option
Integrated and growing marketplace of add-ons
Zed Attack Proxy Alerts
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
Web Application Vulnerability Testing: ZAProxy
Some of ZAP’s characteristics:
Open source
Cross platform (it even runs on a Raspberry Pi!)
Easy to install (using a multi-platform installer builder)
Completely free (no paid for ‘Pro’ version)
Ease of use a priority
Comprehensive help pages
Fully internationalized
Translated into over 20 languages
Community based, with involvement actively encouraged
Under active development by an international team of volunteers
ZAP provides the following features:
Active Scan
Add-ons
Alerts
Anti CSRF Tokens
API
Authentication
Break Points
Contexts
Data Driven Content
Filters
Globally Excluded URLs
HTTP Sessions
Intercepting Proxy
Modes
Notes
Passive Scan
Scan Policies
Scope
Session Management
Spider
Statistics
Structural Modifiers
Structural Parameters
Tags
Users
Download