Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OWASP Zed Attack Proxy - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OWASP Zed Attack Proxy

Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base remains from Paros, meaning that the remainder is new code! Also, ZAP is one of the most active free open source projects around! There are so many excellent features, for example the automated scanner and the interception proxy. That is just for starters. ZAP is:

â?˘Free, Open source
â?˘Involvement is actively encouraged
â?˘Cross platform
â?˘Easy to use
â?˘Easy to install
â?˘Fully documented
â?˘Works well with other tools
â?˘Reuses well regarded components.

Did I mention free?

ZAP has many features, some developed in the Google Summer of Code (GSoC) over the years. For penetration testers ZAP has many new features such as Zest support and ZAP integration, Advanced access control testing and user access comparison, Advanced Fuzzing, SOAP web service scanning, and more.

I gave a talk about ZAP at SANSFire recently, the slides can be found at:

Adrien de Beaupré Inc.

I will be teaching SANS Sec560 Network Penetration testing in Albuquerque, NM

Adrien de Beaupre

353 Posts
ISC Handler
Jul 22nd 2014
I've just installed ZAP, will be testing it out on one of our internal web services this week. Any idea how intrusive the 'default' scans are?

Sign Up for Free or Log In to start participating in the conversation!