ZAP – Handling Modern Web Apps Better - Part 1
Introducing a new add-on which allows ZAP (and you) to see what is going on in the browser.| ZAP
Introducing a new add-on which allows ZAP (and you) to see what is going on in the browser.| ZAP
ZAP can now automatically detect and configure itself to handle common authentication mechanisms.| ZAP
There is now a really easy way to check if ZAP can handle your app’s authentication.| ZAP
April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!| ZAP
The January 2023 updates including authentication improvements and future plans.| ZAP
How to configure ZAP to handle complex authentication using Selenium.| ZAP
Handling authentication in automation is hard, but help is on its way.| ZAP
A reply to an excellent blog series from Secure Ideas: Twelve Days of ZAPmas - ZAP impressions from a Burp user.| ZAP
See the data behind the most popular active scan rules every month| ZAP
ZAP 2.12.0 has just been released, and as the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the Ten Thousand Star Release| ZAP
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!| ZAP
Use ZAP as a web server, subscribe to internal ZAP events, and more!| ZAP
All of the things that have been happening related to ZAP in August 2022.| ZAP
How to solve the PortSwigger Lab: Username enumeration via account lock using ZAP scripts.| ZAP
How to solve the PortSwigger Lab: 2FA Broken Logic using ZAP.| ZAP
The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP. Some of the ideals that have driven ZAP are listed b...| ZAP
I’ve been struggling with the question of ZAP releases. We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible. But I also want to make sure our ‘full’ releases remain as robust and stable as possible. I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.| ZAP
We are getting close to releasing the next major version of ZAP. As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC). This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.| ZAP
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool. It is being continually enhanced and, unusually for a security tool, has been translated into over 25 languages thanks to over 70 translators. This series is designed to help newcomers d...| ZAP
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #1 - Why should you? In order to change the ZAP source code you will need to set up a development environment. Requirements The following software is used/required to obtain and build ZAP (core) and the add-ons:| ZAP
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #2 - Getting Started One of the easiest ways to enhance ZAP is to write new passive scan rules. Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way. They typically run against all of the requests and responses...| ZAP
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #3 - Passive scan rules Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user. You should only use active scan rules against applications that you have permission to attack. You can also write active scan rules dynamically using scripts, as we wil...| ZAP
At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS). The slides are here and the video will hopefully be available soon. The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode. This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.| ZAP
The first online ZAP Q&A Session was held on Tuesday 13th October. You can listen to a recording of the session here. Please leave feedback via this Google Form. Some links to resources mentioned in the session or related to the questions: The DOM XSS add-on The Context Alert Filters add-on The Revisit Add-on The Access Control add-on The vulnerabilities detected by ZAP How to set up form based authentication The community-scripts repo Note that you can download add-ons from within ZAP via th...| ZAP
Introduction Welcome to the first monthly ZAP newsletter. We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools. We also encourage contributions from people like yourself - see the last section for details. Oh, and please let us know what you think of this newsletter via the Feedback Form!| ZAP
Introduction Welcome to the second ZAP Newsletter. And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week.| ZAP
Introduction Happy New Year! For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.| ZAP
Introduction Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;)| ZAP
Introduction Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting.| ZAP
ZAP 2.5.0 is now available. This release contains a large number of enhancements and fixes which are detailed in the release notes. API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes. The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.| ZAP
Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase.| ZAP
Using ZAP during the development process is now easier than ever. We are proud to present the Jenkins plugin, it extends the functionality of the ZAP security tool into a CI Environment. The process explained A Jenkins CI Build step initializes ZAP Traffic flows (Regression Pack) through ZAP (Web Proxy) ZAP modifies requests to include Vulnerability Tests Target Application/Server sends Response back through ZAP ZAP sends reporting data back to Jenkins Jenkins publishes and archives the repor...| ZAP
As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them. ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future.| ZAP
APIs can be challenging for security testing for a variety of reasons. The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques. However many APIs are described using technologies such as: SOAP OpenAPI / Swagger These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.| ZAP
The previous ZAP blog post explained how you could Explore APIs with ZAP. This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line. This allows you to easily automate the scanning of your APIs.| ZAP
ZAP is the most popular free and open source web scanner, but maybe it's more popular than most/all commercial scanners too?| ZAP
How ZAP baseline and GitHib actions can help to automate the security testing| ZAP
Now attack GraphQL endpoints with the new GraphQL add-on for ZAP| ZAP
Why the Sites Tree is so important to ZAP and how you will have much more control over it in ZAP 2.10.0| ZAP
Run ZAP without Java using Docker and Webswing| ZAP
Automate checking ASVS controls using ZAP scripts| ZAP
How we collect and publish statistics for ZAP| ZAP
How to use ZAP FileUpload Add-on for finding Vulnerabilities in file upload functionality| ZAP
Introducing the OAST add-on for ZAP| ZAP
ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now. Major changes include: Alert Tags Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.| ZAP
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.| ZAP
You can now launch your favourite browsers from ZAP with your favourite extensions.| ZAP
Eval Villain was recently added to the ZAP Marketplace. This add-on installs the Eval Villain web extension in Firefox and allows the inspection of arguments to arbitrary native JavaScript functions.| ZAP
A walkthrough of using the new Log4Shell Alpha Active Scan rule with the ZAP Automation Framework.| ZAP
The ZAP Weekly and Live releases have an all new networking layer.| ZAP
