ZAP Marketplace contains ZAP add-ons which have been written by the ZAP team and the community. The add-ons help to extend the functionalities of ZAP. If you are using the latest version of ZAP then you can browse and download add-ons from within ZAP by clicking on this button in the toolbar:
You can also import the add-ons that you have downloaded manually via the “File / Load Add-on File…” menu option in the ZAP desktop.
| Name | ID | Version | Status | Author | Last Updated |
|---|---|---|---|---|---|
Access Control Testing
Adds a set of tools for testing access control in web applications. |
accessControl | 10 | alpha | ZAP Dev Team | 2024-03-25 |
|
Active scanner rules
The release status Active Scanner rules |
ascanrules | 71 | release | ZAP Dev Team | 2025-03-04 |
|
Active scanner rules (alpha)
The alpha status Active Scanner rules |
ascanrulesAlpha | 48 | alpha | ZAP Dev Team | 2024-09-02 |
|
Active scanner rules (beta)
The beta status Active Scanner rules |
ascanrulesBeta | 58 | beta | ZAP Dev Team | 2025-03-04 |
|
Advanced SQLInjection Scanner
An advanced active injection bundle for SQLi (derived by SQLMap) |
sqliplugin | 16 | beta | Andrea Pompili (Yhawke) | 2025-04-30 |
|
Ajax Spider
Allows you to spider sites that make heavy use of JavaScript using Crawljax |
spiderAjax | 23.23.0 | release | ZAP Dev Team | 2025-03-25 |
|
Alert Filters
Allows you to automate the changing of alert risk levels. |
alertFilters | 23 | release | ZAP Dev Team | 2025-01-09 |
|
All In One Notes
A simple extension to view all notes in one pane. |
allinonenotes | 2 | alpha | David Vassallo | 2021-10-07 |
|
Attack Surface Detector
The Attack Surface Detector analyzes web application source code to generate endpoints that can be used for penetration testing. |
attacksurfacedetector | 1.1.4 | alpha | Secure Decisions (Matthew DeLetto) | 2019-03-07 |
|
Authentication Helper
Helps identify and set up authentication handling |
authhelper | 0.25.0 | beta | ZAP Dev Team | 2025-03-25 |
|
Authentication Statistics
Records logged in/out statistics for all contexts in scope. |
authstats | 2 | alpha | ZAP Dev Team | 2021-10-07 |
|
Automation Framework
Automation Framework. |
automation | 0.49.0 | beta | ZAP Dev Team | 2025-03-25 |
|
BeanShell Console
Provides a BeanShell Console |
beanshell | 7 | beta | ZAP Dev Team | 2021-10-07 |
|
Browser View
Adds an option to render HTML responses like a browser |
browserView | 6 | alpha | ZAP Dev Team | 2023-03-13 |
|
Bug Tracker
Bug Tracker extension. |
bugtracker | 4 | alpha | ZAP Dev Team | 2022-09-23 |
|
Call Graph
Allows the user to view a call graph of the selected resources |
callgraph | 5 | alpha | Colm O'Flaherty | 2021-10-07 |
|
Call Home
Handles all of the calls to ZAP services. |
callhome | 0.14.0 | release | ZAP Dev Team | 2025-01-09 |
|
Client Side Integration
Exposes client (browser) side information in ZAP using Firefox and Chrome extensions. |
client | 0.15.0 | alpha | ZAP Dev Team | 2025-03-25 |
|
Collection: Pentester Pack
A collection of add-ons ideal for pentesters |
packpentester | 0.1.0 | alpha | ZAP Dev Team | 2022-05-12 |
|
Collection: Scan Rules Pack
All of the add-ons just containing release, beta and alpha status scan rules |
packscanrules | 0.0.1 | alpha | ZAP Dev Team | 2022-05-13 |
|
Common Library
A common library, for use by other add-ons. |
commonlib | 1.32.0 | release | ZAP Dev Team | 2025-04-09 |
|
Community Scripts
Useful ZAP scripts written by the ZAP community. |
communityScripts | 19 | alpha | ZAP Community | 2024-07-01 |
|
Core Language Files
Translations of the core language files |
coreLang | 15 | release | ZAP Dev Team | 2022-02-14 |
|
Custom Payloads
Ability to add, edit or remove payloads that are used i.e. by active scanners |
custompayloads | 0.14.0 | release | ZAP Dev Team | 2025-01-15 |
|
Database
Provides database engines and related infrastructure. |
database | 0.8.0 | alpha | ZAP Dev Team | 2025-03-04 |
|
Dev Add-on
An add-on to help with development of ZAP. |
dev | 0.10.0 | alpha | ZAP Dev Team | 2025-05-15 |
|
Diff
Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch |
diff | 17 | beta | ZAP Dev Team | 2025-01-09 |
|
Directory List v1.0
List of directory names to be used with Forced Browse or Fuzzer add-on. |
directorylistv1 | 9 | release | ZAP Dev Team | 2025-01-09 |
|
Directory List v2.3
Lists of directory names to be used with Forced Browse or Fuzzer add-on. |
directorylistv2_3 | 4 | release | ZAP Dev Team | 2021-10-07 |
|
Directory List v2.3 LC
Lists of lower case directory names to be used with Forced Browse or Fuzzer add-on. |
directorylistv2_3_lc | 4 | release | ZAP Dev Team | 2021-10-07 |
|
DOM XSS Active scanner rule
DOM XSS Active scanner rule |
domxss | 21 | release | Aabha Biyani, ZAP Dev Team | 2025-01-09 |
|
Encoder
Adds encode/decode/hash dialog and support for scripted processors as well |
encoder | 1.6.0 | release | ZAP Dev Team | 2025-01-09 |
|
Eval Villain
Adds the Eval Villain extension to Firefox when launched from ZAP. |
evalvillain | 0.4.0 | alpha | Dennis Goodlett and the ZAP Dev Team | 2024-11-25 |
|
FileUpload
Detect File upload requests and scan them to find related vulnerabilities |
fileupload | 1.2.1 | alpha | KSASAN [email protected] | 2023-10-23 |
|
Forced Browse
Forced browsing of files and directories using code from the OWASP DirBuster tool |
bruteforce | 17 | beta | ZAP Dev Team | 2025-01-09 |
|
FuzzAI Files
FuzzAI files which can be used with the ZAP fuzzer |
fuzzai | 0.0.1 | release | ZAP Dev Team | 2024-09-24 |
|
FuzzDB Files
FuzzDB files which can be used with the ZAP fuzzer |
fuzzdb | 9 | release | ZAP Dev Team | 2022-09-23 |
|
FuzzDB Offensive
FuzzDB web backdoors and attack files which can be used with the ZAP fuzzer or for manual penetration testing - contains files that may well be flagged by anti-virus tools |
fuzzdboffensive | 5 | release | ZAP Dev Team | 2024-01-11 |
|
Fuzzer
Advanced fuzzer for manual testing |
fuzz | 13.15.0 | beta | ZAP Dev Team | 2025-01-09 |
|
Getting Started with ZAP Guide
A short Getting Started with ZAP Guide |
gettingStarted | 19 | release | ZAP Dev Team | 2025-01-09 |
|
GraalVM JavaScript
Provides the GraalVM JavaScript engine for ZAP scripting. |
graaljs | 0.9.0 | alpha | ZAP Dev Team | 2025-01-09 |
|
GraphQL Support
Inspect and attack GraphQL endpoints. |
graphql | 0.28.0 | alpha | ZAP Dev Team | 2025-03-26 |
|
Groovy Support
Adds Groovy support to ZAP |
groovy | 3.2.0 | beta | ZAP Dev Team | 2024-04-11 |
|
gRPC Support
Inspect, attack gRPC endpoints, and decode protobuf messages. |
grpc | 0.2.0 | alpha | ZAP Dev Team | 2024-07-02 |
|
Help - Arabic
Arabic version of the ZAP help file. |
help_ar_SA | 1 | alpha | ZAP Crowdin Team | 2022-01-18 |
|
Help - Bosnian
Bosnian version of the ZAP help file. |
help_bs_BA | 9 | alpha | ZAP Crowdin Team | 2018-02-08 |
|
Help - Chinese Simplified
Chinese Simplified version of the ZAP help file. |
help_zh_CN | 3 | beta | ZAP Crowdin Team | 2022-01-18 |
|
Help - English
English version of the ZAP help file. |
help | 20 | release | ZAP Crowdin Team | 2025-03-25 |
|
Help - Filipino
Filipino version of the ZAP help file. |
help_fil_PH | 3 | alpha | ZAP Crowdin Team | 2022-01-18 |
|
Help - French
French version of the ZAP help file. |
help_fr_FR | 10 | alpha | ZAP Crowdin Team | 2022-01-18 |
|
Help - Indonesian
Indonesian version of the ZAP help file. |
help_id_ID | 3 | beta | ZAP Crowdin Team | 2022-01-18 |
|
Help - Japanese
Japanese version of the ZAP help file. |
help_ja_JP | 10 | beta | ZAP Crowdin Team | 2022-01-18 |
|
Help - Malay
Malay version of the ZAP help file. |
help_ms_MY | 1 | alpha | ZAP Crowdin Team | 2022-01-18 |
|
Help - Portuguese, Brazilian
Portuguese, Brazilian version of the ZAP help file. |
help_pt_BR | 11 | release | ZAP Crowdin Team | 2022-01-18 |
|
Help - Russian
Russian version of the ZAP help file. |
help_ru_RU | 2 | release | ZAP Crowdin Team | 2022-02-24 |
|
Help - Spanish
Spanish version of the ZAP help file. |
help_es_ES | 10 | release | ZAP Crowdin Team | 2022-01-18 |
|
Help - Turkish
Turkish version of the ZAP help file. |
help_tr_TR | 2 | release | ZAP Crowdin Team | 2022-01-18 |
|
Highlighter
Allows you to highlight strings in the request and response tabs. |
highlighter | 8 | alpha | ZAP Dev Team | 2021-10-07 |
|
HUD - Heads Up Display
Display information from ZAP in browser. |
hud | 0.19.0 | beta | ZAP Dev Team | 2024-05-07 |
|
Image Location and Privacy Scanner
Image Location and Privacy Passive Scanner |
imagelocationscanner | 5 | beta | Jay Ball (veggiespam) and the ZAP Dev Team | 2024-04-11 |
|
Import/Export
Import and Export functionality |
exim | 0.14.0 | beta | ZAP Dev Team & thatsn0tmysite | 2025-03-25 |
|
Invoke Applications
Invoke external applications passing context related information such as URLs and parameters |
invoke | 16 | beta | ZAP Dev Team | 2025-01-09 |
|
JSON View
Adds a view that shows JSON messages nicely formatted |
jsonview | 3 | alpha | Juha Kivekäs | 2023-09-07 |
|
JWT Support
Detect JWT requests and scan them to find related vulnerabilities |
jwt | 1.0.3 | alpha | KSASAN [email protected] | 2023-01-02 |
|
Kotlin Support
Allows Kotlin to be used for ZAP scripting |
kotlin | 1.1.0 | alpha | StackHawk Engineering | 2021-10-07 |
|
Levo.ai
Build OpenAPI Specs with ZAP traffic using Levo.ai. |
levoai | 0.3.0 | alpha | Levo.ai | 2024-07-10 |
|
Linux WebDrivers
Linux WebDrivers for Firefox and Chrome. |
webdriverlinux | 140 | release | ZAP Dev Team | 2025-05-22 |
|
MacOS WebDrivers
MacOS WebDrivers for Firefox and Chrome. |
webdrivermacos | 140 | release | ZAP Dev Team | 2025-05-22 |
|
Map Local
Allows mapping of responses to content of a chosen local file. |
maplocal | 0.0.1 | alpha | Keindel (Andrey Maksimov) | 2023-10-05 |
|
Neonmarker
Colors history table items based on tags |
neonmarker | 1.8.0 | alpha | Juha Kivekäs, Kingthorin | 2025-02-14 |
|
Network
Provides core networking capabilities. |
network | 0.21.0 | beta | ZAP Dev Team | 2025-03-04 |
|
OAST Support
Allows you to exploit out-of-band vulnerabilities |
oast | 0.21.0 | beta | ZAP Dev Team | 2025-01-09 |
|
Online menus
ZAP Online menu items |
onlineMenu | 14 | release | ZAP Dev Team | 2025-01-09 |
|
OpenAPI Support
Imports and spiders OpenAPI definitions. |
openapi | 45 | beta | ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions | 2025-03-24 |
|
Parameter Digger
Identify hidden, unlinked parameters. Useful for finding web cache poisoning vulnerabilities. |
paramdigger | 0.3.0 | alpha | ZAP Dev Team and Arkaprabha Chakraborty | 2024-07-15 |
|
Passive Scanner
Provides core passive scanning capabilities. |
pscan | 0.2.1 | alpha | ZAP Dev Team | 2025-03-25 |
|
Passive scanner rules
The release status Passive Scanner rules |
pscanrules | 64 | release | ZAP Dev Team | 2025-03-25 |
|
Passive scanner rules (alpha)
The alpha status Passive Scanner rules |
pscanrulesAlpha | 44 | alpha | ZAP Dev Team | 2025-03-04 |
|
Passive scanner rules (beta)
The beta status Passive Scanner rules |
pscanrulesBeta | 43 | beta | ZAP Dev Team | 2025-03-04 |
|
Plug-n-Hack Configuration
Supports the Mozilla Plug-n-Hack standard: https://developer.mozilla.org/en-US/docs/Plug-n-Hack. |
plugnhack | 13 | beta | ZAP Dev Team | 2022-10-27 |
|
Postman Support
Imports and spiders Postman collections. |
postman | 0.6.0 | alpha | ZAP Dev Team | 2025-02-03 |
|
Python Scripting
Allows Python to be used for ZAP scripting - templates included |
jython | 15 | beta | ZAP Dev Team | 2024-04-11 |
|
Quick Start
Provides a tab which allows you to quickly test a target application |
quickstart | 51 | release | ZAP Dev Team | 2025-01-10 |
|
Reflect
Finds reflected parameters |
reflect | 0.0.11 | alpha | Caleb Kinney | 2021-02-19 |
|
Regular Expression Tester
Allows to test Regular Expressions |
regextester | 2 | alpha | ZAP Dev Team | 2021-10-07 |
|
Replacer
Easy way to replace strings in requests and responses. |
replacer | 20 | release | ZAP Dev Team | 2025-01-10 |
|
Report Generation
Official ZAP Reports. |
reports | 0.38.0 | release | ZAP Dev Team | 2025-03-04 |
|
Requester
Allows to manually edit and send messages. |
requester | 7.8.0 | beta | Surikato and the ZAP Dev Team | 2025-01-10 |
|
Retest
An add-on to retest for presence/absence of previously generated alerts. |
retest | 0.11.0 | alpha | ZAP Dev Team | 2025-01-10 |
|
Retire.js
Use Retire.js to identify vulnerable or out-dated JavaScript packages. |
retire | 0.46.0 | release | Nikita Mundhada and the ZAP Dev Team | 2025-03-13 |
|
Reveal
Show hidden fields and enable disabled fields |
reveal | 9 | release | ZAP Dev Team | 2025-01-10 |
|
Revisit
Revisit a site at any time in the past using the session history |
revisit | 5 | alpha | ZAP Dev Team | 2023-10-23 |
|
Ruby Scripting
Allows Ruby to be used for ZAP scripting - templates included |
jruby | 8 | beta | ZAP Dev Team | 2021-10-07 |
|
SAML Support
Detect, Show, Edit, Fuzz SAML requests |
saml | 10 | alpha | ZAP Dev Team | 2022-10-28 |
|
Scan Policies
A set of standard scan policies. |
scanpolicies | 0.2.0 | alpha | ZAP Dev Team | 2025-01-10 |
|
Script Console
Supports all JSR 223 scripting languages |
scripts | 45.11.0 | release | ZAP Dev Team | 2025-04-11 |
|
Selenium
WebDriver provider and includes HtmlUnit browser |
selenium | 15.36.0 | release | ZAP Dev Team | 2025-03-25 |
|
Sequence
Gives the possibility of defining a sequence of requests to be scanned. |
sequence | 8 | beta | ZAP Dev Team | 2025-01-10 |
|
Server-Sent Events
Allows you to view Server-Sent Events (SSE) communication. |
sse | 13 | alpha | ZAP Dev Team | 2024-05-21 |
|
SOAP Support
Imports and scans WSDL files containing SOAP endpoints. |
soap | 24 | beta | Alberto (albertov91) + ZAP Dev Team | 2025-01-10 |
|
Spider
Spider used for automatically finding URIs on a site. |
spider | 0.14.0 | release | ZAP Dev Team | 2025-03-25 |
|
SVN Digger Files
SVN Digger files which can be used with ZAP forced browsing |
svndigger | 4 | release | ZAP Dev Team | 2021-10-07 |
|
Technology Detection
Technology detection using various fingerprints and identifiers. |
wappalyzer | 21.45.0 | release | ZAP Dev Team | 2025-03-04 |
|
Tips and Tricks
Display ZAP Tips and Tricks |
tips | 14 | beta | ZAP Dev Team | 2025-01-10 |
|
Token Generation and Analysis
Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection |
tokengen | 15 | beta | ZAP Dev Team | 2021-10-07 |
|
TreeTools
Tools to add functionality to the tree view. |
treetools | 8 | beta | Carl Sampson | 2021-10-07 |
|
Value Generator
This Value Generator Add-on allows a user to define field names and values to be used when submitting values to an app. Fields can be added, modified, enabled/disabled, and deleted. |
formhandler | 6.7.0 | beta | ZAP Dev Team | 2025-01-09 |
|
ViewState
ASP/JSF ViewState Decoder and Editor |
viewstate | 3 | alpha | Calum Hutton | 2021-10-07 |
|
WebSockets
Allows you to inspect WebSocket communication. |
websocket | 32 | release | ZAP Dev Team | 2025-01-10 |
|
Windows WebDrivers
Windows WebDrivers for Firefox and Chrome. |
webdriverwindows | 140 | release | ZAP Dev Team | 2025-05-22 |
|
Zest - Graphical Security Scripting Language
A graphical security scripting language, ZAPs macro language on steroids |
zest | 48.6.0 | beta | ZAP Dev Team | 2025-05-20 |