Author: Simon

Sorted by latest post date.

ZAP Has Joined Forces With Checkmarx

Last Posted
This is a huge investment (and vote of confidence) in ZAP and will secure the project’s future success.

Polyfill.io Script Detection

Last Posted
A new scan rule which allows you to find out which of your sites are loading scripts from polyfill.io really quickly.

ZAP Updates - May 2024

Last Posted
It was another “full release” month, with 2.15.0 and a brand new add-on for gRPC support.

ZAP 2.15.0

Last Posted
ZAP 2.15.0 has just been released, and adds support for scripts as first class scan rules, restructured desktop menu items, and more…

ZAP Updates - April 2024

Last Posted
ZAP professional services, a new Docker Hub org, a new GitHub Action and 2.15.0 is coming soon.

ZAP Professional Services!

Last Posted
ZAP Professional Services are now available, delivered by key members of the ZAP Core Team. Money raised from these services will help fund ZAP development.

ZAP Updates - March 2024

Last Posted
ZAP funding, the Open Source Fellowship, ZAProxy Ltd, script scan rules as first class scan rules.

Support Changes

Last Posted
Changes that we are having to put in place regarding ZAP support.

ZAP Updates - February 2024

Last Posted
Restructured desktop menus, OWASP Docker Hub depreciation, Funding, and GSoC.

ZAP Professional Services?

Last Posted
Would you be interested in ZAP based professional services? If so please get in touch.

2023 in Review

Last Posted
A summary of everything ZAP related that happened in 2023.

ZAP Technology Support

Last Posted
How you can tell ZAP which technology your target uses, and why it can be a really good idea.

ZAPit

Last Posted
Want to find out as much info about a URL as possible really quickly? Then ZAPit!

ZAP 2.14.0

Last Posted
ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…

ZAP Updates - September 2023

Last Posted
Both of our GSoC students completed their projects, and we started a new video series.

ZAP Chat Video Series

Last Posted
We have just started a new series of videos called ZAP Chat which focus on ZAP features, new and old.

What Should We Focus On?

Last Posted
We want your input on what we should focus on as part of ZAP development.

ZAP 2.13.0

Last Posted
ZAP 2.13.0 has just been released, and adds support for HTTP/2, improved authentication handling and Mac Silicon.

Authentication Tester Dialog

Last Posted
There is now a really easy way to check if ZAP can handle your app’s authentication.

ZAP Updates - April 2023

Last Posted
April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!

Authentication Auto-Detection

Last Posted
ZAP can now automatically detect and configure itself to handle common authentication mechanisms.

How Should We Fund ZAP Development?

Last Posted
We would love to be able to make ZAP even better for you - your feedback on how that could be funded would be appreciated!

ZAP Updates 2023 January

Last Posted
The January 2023 updates including authentication improvements and future plans.

Authentication Help

Last Posted
Handling authentication in automation is hard, but help is on its way.

2022 in Review

Last Posted
A summary of everything ZAP related that happened in 2022.

ZAP Updates 2022 September

Last Posted
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!

ZAP Updates 2022 August

Last Posted
All of the things that have been happening related to ZAP in August 2022.

ZAP History: 2009 - Paros Proxy

Last Posted

I’ve always had side projects but at that time I had never contributed to open source. I decided it was a good time to start contributing, so I looked around for an open source security tool with an active community.

Unfortunately I couldn’t find one.

OWASP had WebScarab, but I didn’t really get on with that, and in any case development on that seemed to have stopped. The tool I most liked was called Paros Proxy - it was simple, effective and did what I needed. It was also written in Java so it wasn’t long before I pulled it into Eclipse and started making some tweaks.

ZAP History: 2009 - The Pentest

Last Posted

In 2009 I was a Java developer / team leader and led a small team which developed an online service for a major accounting software company.

As this service was considered to be security critical I insisted that an external pentest team was hired to ensure the software was suitably secure. To be honest I wasn’t too worried as we had seriously considered security throughout the process so I was fairly confident that the report would just show what a good job we had done.

ZAP History: 2010 - Andiparos

Last Posted

While I was still finalising the first ZAP release someone else beat me to it 😟.

After years of being neglected, Paros was also forked by Axel Neumann who called his version AndiParos.

I’ll have to admit that I was very disheartened and seriously considered abandoning my plans for ZAP.

ZAP History: 2010 - Why the Name ZAP?

Last Posted

I find naming things hard. It is easier if the tool has a very specific purpose, but ZAP has lots of uses.

When I was a developer I always wrote command line scripts. If I thought I might need them again then I would call them something sensible, something that would help me find them again. But I also wrote one off scripts that I knew I would never use again. I always ended up calling those scripts “zap” or “pow” - think of cartoons: “ZAP! POW!” I struggled with names for my fork of paros proxy and I kept on thinking of those two options.

ZAPCon 2022 Schedule is Now Live

Last Posted
I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.

New ZAP Networking Layer

Last Posted
The ZAP Weekly and Live releases have an all new networking layer.

ZAP and Log4Shell

Last Posted
ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.

OWASP Outstanding Project 2021

Last Posted
ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.

ZAP Telemetry Plans

Last Posted
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.

ZAP 2.11.0

Last Posted

ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.

Major changes include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.

Baseline Scan Changes

Last Posted
Important information for anyone who uses the baseline scan in the Live or Weekly Docker images.

Collecting Statistics for Open Source Projects

Last Posted
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.

ZAP Report Competition

Last Posted
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.

Sites Tree Modifiers

Last Posted
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.

ZAP is Ten Years Old

Last Posted
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.

Is ZAP the World’s most Popular Web Scanner?

Last Posted

I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)

However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?

Dark Mode in the Weekly Release

Last Posted

We release ZAP every week: https://www.zaproxy.org/download/#weekly

We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:

It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:

The ZAP Blog has Moved

Last Posted

OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/

Because we now have a new website we’ve decided to move our blog from https://zaproxy.blogspot.com/ to https://zaproxy.org/blog/. As part of that move all of the old blog posts have been moved to the new site and updated to fix some of the links that had broken.

ZAP Browser Launch

Last Posted

We have just released a new feature for ZAP that allows you to launch browsers from within ZAP. The browsers are automatically configured to proxy via ZAP and ignore certificate warnings, making it much easier for people to get started with ZAP as well as for more experienced users who want to use ZAP with a variety of browsers. You can install and use Browser Launch right now via the ZAP Marketplace, which can be accessed via the ‘Manage Add-ons’ button in ZAP:

Scanning APIs with ZAP

Last Posted

The previous ZAP blog post explained how you could Explore APIs with ZAP.
This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line.
This allows you to easily automate the scanning of your APIs.

Exploring APIs with ZAP

Last Posted

APIs can be challenging for security testing for a variety of reasons.
The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques.
However many APIs are described using technologies such as:

These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.

Introducing the JxBrowser add-on for ZAP

Last Posted

As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them.  ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future.

Announcing ZAP Unit Test Bounties

Last Posted

Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase.

ZAP 2.5.0

Last Posted

ZAP 2.5.0 is now available.

This release contains a large number of enhancements and fixes which are detailed in the release notes.

API changes

There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.

ZAP Newsletter - 2016 March

Last Posted

Introduction

Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting.

ZAP Newsletter - 2016 February

Last Posted

Introduction

Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;)

ZAP Newsletter - 2016 January

Last Posted

Introduction

Happy New Year!
For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.

ZAP Newsletter - 2015 December

Last Posted

Introduction

Welcome to the second ZAP Newsletter.
And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week.

ZAP Newsletter - 2015 November

Last Posted

Introduction

Welcome to the first monthly ZAP newsletter.
We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools.
We also encourage contributions from people like yourself - see the last section for details.
Oh, and please let us know what you think of this newsletter via the Feedback Form!

ZAP Q&A Session - Tuesday 13th October 2015

Last Posted

The first online ZAP Q&A Session was held on Tuesday 13th October.

You can listen to a recording of the session here.

Please leave feedback via this Google Form.

Some links to resources mentioned in the session or related to the questions:

Note that you can download add-ons from within ZAP via the Marketplace.

ZAP as a Service (ZaaS)

Last Posted

At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS).
The slides are here and the video will hopefully be available soon.

The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode.
This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.

Hacking ZAP #4 - Active scan rules

Last Posted

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #3 - Passive scan rules

Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user. You should only use active scan rules against applications that you have permission to attack.
You can also write active scan rules dynamically using scripts, as we will see later in this series, but even then it’s very useful to understand some of the concepts underlying classes available to you.

Hacking ZAP #3 - Passive scan rules

Last Posted

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #2 - Getting Started

One of the easiest ways to enhance ZAP is to write new passive scan rules.
Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.
They typically run against all of the requests and responses that flow through ZAP.
Passive rules run in separate background thread so that they have as little effect on performance as possible.

Hacking ZAP #1 - Why should you?

Last Posted

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.

ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool. It is being continually enhanced and, unusually for a security tool, has been translated into over 25 languages thanks to over 70 translators.
This series is designed to help newcomers dive head-first into the ZAP source code. However for this first blog post I thought I’d take a step back and give some reasons why you might want to change the ZAP source code in the first place.

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

Last Posted

We are getting close to releasing the next major version of ZAP.

As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).

This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

ZAP Weekly Releases

Last Posted

I’ve been struggling with the question of ZAP releases.
We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.
I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.

OWASP ZAP – the Firefox of web security tools

Last Posted

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP. Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post: