The OWASP Zed Attack Proxy (ZAP) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Some of ZAP’s features:

  • Open source
  • Cross-platform
  • Easy to install (just requires java 1.7)
  • Completely free (no paid for ‘Pro’ version)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community-based, with involvement, actively encouraged
  • Under active development by an international team of volunteers

Some of ZAP’s functionality:

OWASP ZAP 2.7 has been released.

This is a bug fix and enhancement release, which requires a minimum of Java 8.

Some of the more significant enhancements include:

  • Browser launch included by default – this allows you to launch browsers from ZAP that are preconfigured to proxy through ZAP and ignore the certificate warnings due to the ZAP root certificate.
  • Allow ZAP to listen on multiple addresses/ports
  • Support Server Name Indication
  • Updated NTLM engine implementation – this fixes the cases where the domain is being validated and improves interoperability with other (server) NTLM implementations
  • Lots of new API endpoints – see below for details
  • More


OWASP ZAP Tutorial

Copyright (C) yhawkethc202psiinon