OWASP ZAP v2.14 released: finding vulnerabilities in web applications

The OWASP Zed Attack Proxy (ZAP) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Some of ZAP’s features:

• Open source
• Cross-platform
• Easy to install (just requires java 1.7)
• Completely free (no paid for ‘Pro’ version)
• Ease of use a priority
• Comprehensive help pages
• Fully internationalized
• Translated into a dozen languages
• Community-based, with involvement, actively encouraged
• Under active development by an international team of volunteers

Some of ZAP’s functionality:

• Intercepting Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support
• Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST-based API
• Automatic updating option
• Integrated and growing marketplace of add-ons

Changelog v2.14

Enhancements

• Issue 1926 : Remove Alerts for defined Context through ZAP API
• Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
• Issue 7607 : Allow to download/upload files through the ZAP API
• Issue 7951 : Validate API parameter names
• Issue 7984 : Allow to display script without focusing
• Issue 7988 : Use short name for home dir in Windows
• Issue 8012 : Move vulnerability data to Common Library add-on
• Issue 8033 : Add/use Log4j JUL adapter
• Issue 8040 : Add prompt text to search input fields
• Issue 8042 : Find: use focus owner
• Issue 8043 : Update Download Icon
• Issue 8050 : Allow to select a script node without focusing
• Issue 8067 : Allow to disable modification of multiple options
• Issue 8070 : Prevent concurrent usage of ZAP home
• Issue 8089 : Break: Allow host header manipulation
• Issue 8101 : Extend ScanEventPublisher to support params
• Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
• Issue 8118 : Record config stats

Bug fixes

• Issue 7353 : Header `If-None-Match: *` removed for PUT requests
• Issue 7960 : Graal.js engine might fail to load/access add-on classes
• Issue 8013 : Use add-on class loader for interface from script
• Issue 8028 : Set the view to `ExtensionAdaptor` sooner
• Issue 8055 : Include country name for duplicated languages
• Issue 8068 : Use the current database body size values
• Issue 8111 : Raw HTML displayed in options panels for search matches

More…

Download

OWASP ZAP Tutorial

Copyright 2022 the ZAP Dev Team