OWASP ZAP w2023-09-18 released: finding vulnerabilities in web applications

The OWASP Zed Attack Proxy (ZAP) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Some of ZAP’s features:

• Open source
• Cross-platform
• Easy to install (just requires java 1.7)
• Completely free (no paid for ‘Pro’ version)
• Ease of use a priority
• Comprehensive help pages
• Fully internationalized
• Translated into a dozen languages
• Community-based, with involvement, actively encouraged
• Under active development by an international team of volunteers

Some of ZAP’s functionality:

• Intercepting Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support
• Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST-based API
• Automatic updating option
• Integrated and growing marketplace of add-ons

Changelog v2.13

Some of the more significant enhancements include:

HTTP/2 Support

HTTP/2 is now supported, with no configuration changes required.

If you proxy HTTP/2 traffic through ZAP then ZAP will make the same HTTP/2 requests to the target. Any tools that work on proxied requests will also automatically use HTTP/2.

Improved Authentication Handling

ZAP authentication handling has been significantly overhauled, and ZAP can now auto-authenticate to many web apps by just supplying the URL of the login page along with the credentials.

Mac Silicon Support

Mac Silicon is now supported via a new installer and in the Docker images.

GitHub Container Registry

As explained in this blog post the ZAP Docker images are now also available in the GitHub Container Registry.

This may well be a better alternative for many users as, unlike Docker Hub, there is currently no rate limiting on pulls.

Default Threads

All of the “attack” tools which use threading, including both spiders and active scanner, have been changed to use 2x the number of processors as the default number of threads. Using more threads has been shown to significantly reduce the time the scanners take to run.

Network Rate Limiting

The Network add-on now supports a rate limiting feature which allows you to limit the request rate of HTTP/HTTPS (not web sockets) traffic to hosts or domains to prevent overloading the target or being blocked. For more details see the Rate Limit help page.

Note that the Active Scan Delay When Scanning feature has been deprecated and will be removed in a future release.

Network Global Exclusions

The Global Exclusions functionality has been moved to the Network add-on. This will allow us to update it more easily to keep up with browser changes.

Scan Rule Promotions

The following Active scan rules have been promoted to Release status:

• Log4Shell
• Spring Actuator Information Leak
• Spring4Shell
• Server Side Template Injection
• Server Side Template Injection (Blind)
• XPath Injection

The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• Server Side Request Forgery
• Text4shell (CVE-2022-42889)

The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• Insufficient Site Isolation Against Spectre Vulnerability
• Source Code Disclosure

Dependency Updates

As usual the release includes dependency updates.

The Selenium add-on has been updated to use the Selenium v4 library. One benefit this brings is that the output from browsers will no longer be shown in the ZAP output – this has been confusing to many people and has not provided any real benefit.

If you have any custom code that directly accesses Selenium classes then you may need to update it.

The following libraries were updated:

• Commons Codec, 1.15 → 1.16.0
• Commons CSV, 1.9.0 → 1.10.0
• Commons IO, 2.11.0 → 2.13.0
• Flatlaf 2.6 → 3.1.1
• HSQLDB, 2.7.1 → 2.7.2
• JFreeChart, 1.5.3 → 1.5.4
• Log4j 2, 2.19.0 → 2.20.0
• RSyntaxTextArea, 3.3.0 → 3.3.3
• XOM, 1.3.8 → 1.3.9

More…

Download

OWASP ZAP Tutorial

Copyright 2022 the ZAP Dev Team