OWASP Zed Attack Proxy

Published: 2014-07-21
Last Updated: 2014-07-22 01:25:08 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:

â?˘Free, Open source
â?˘Involvement is actively encouraged
â?˘Cross platform
â?˘Easy to use
â?˘Easy to install
â?˘Internationalized
â?˘Fully documented
â?˘Works well with other tools
â?˘Reuses well regarded components.

Did I mention free?

ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.

I gave a talk about ZAP at SANSFire recently, the slides can be found at: https://isc.sans.edu/diaryimages/BustacapinawebappwithOWASPZAPSANSFIRE2014.pdf

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec560 Network Penetration testing in Albuquerque, NM

Keywords:
1 comment(s)

Comments

I've just installed ZAP, will be testing it out on one of our internal web services this week. Any idea how intrusive the 'default' scans are?

Diary Archives