OWASP ZAP – ZAP Marketplace

ZAP Marketplace contains ZAP add-ons which have been written by the ZAP team and the community. The add-ons help to extend the functionalities of ZAP. If you are using the latest version of ZAP then you can browse and download add-ons from within ZAP by clicking on this button in the toolbar:

add-ons button

You can also import the add-ons that you have downloaded manually via the “File / Load Add-on File…” menu option in the ZAP desktop.

Name	ID	Version	Status	Author	Last Updated
Access Control Testing Adds a set of tools for testing access control in web applications.	accessControl	8	alpha	ZAP Dev Team	2022-10-28
Active scanner rules The release status Active Scanner rules	ascanrules	49	release	ZAP Dev Team	2022-10-27
Active scanner rules (alpha) The alpha status Active Scanner rules	ascanrulesAlpha	41	alpha	ZAP Dev Team	2022-10-27
Active scanner rules (beta) The beta status Active Scanner rules	ascanrulesBeta	43	beta	ZAP Dev Team	2022-10-27
Advanced SQLInjection Scanner An advanced active injection bundle for SQLi (derived by SQLMap)	sqliplugin	15	beta	Andrea Pompili (Yhawke)	2021-10-20
Ajax Spider Allows you to spider sites that make heavy use of JavaScript using Crawljax	spiderAjax	23.10.0	release	ZAP Dev Team	2022-10-27
Alert Filters Allows you to automate the changing of alert risk levels.	alertFilters	14	release	ZAP Dev Team	2022-10-27
All In One Notes A simple extension to view all notes in one pane.	allinonenotes	2	alpha	David Vassallo	2021-10-07
AMF Support Adds support for AMF messages	amf	3	alpha	ZAP Dev Team	2021-10-07
Attack Surface Detector The Attack Surface Detector analyzes web application source code to generate endpoints that can be used for penetration testing.	attacksurfacedetector	1.1.4	alpha	Secure Decisions (Matthew DeLetto)	2019-03-07
Authentication Statistics Records logged in/out statistics for all contexts in scope.	authstats	2	alpha	ZAP Dev Team	2021-10-07
Automation Framework Automation Framework.	automation	0.19.0	beta	ZAP Dev Team	2022-10-27
BeanShell Console Provides a BeanShell Console	beanshell	7	beta	ZAP Dev Team	2021-10-07
Browser View Adds an option to render HTML responses like a browser	browserView	5	alpha	ZAP Dev Team	2017-11-28
Bug Tracker Bug Tracker extension.	bugtracker	4	alpha	ZAP Dev Team	2022-09-23
Call Graph Allows the user to view a call graph of the selected resources	callgraph	5	alpha	Colm O'Flaherty	2021-10-07
Call Home Handles all of the calls to ZAP services.	callhome	0.6.0	release	ZAP Dev Team	2022-12-02
Code Dx Extension Includes request and response data in XML reports and provides the ability to upload reports directly to a Code Dx server	codedx	9	alpha	Code Dx, Inc.	2021-10-07
Collection: Pentester Pack A collection of add-ons ideal for pentesters	packpentester	0.1.0	alpha	ZAP Dev Team	2022-05-12
Collection: Scan Rules Pack All of the add-ons just containing release, beta and alpha status scan rules	packscanrules	0.0.1	alpha	ZAP Dev Team	2022-05-13
Common Library A common library, for use by other add-ons.	commonlib	1.11.0	release	ZAP Dev Team	2022-10-27
Community Scripts Useful ZAP scripts written by the ZAP community.	communityScripts	15	alpha	ZAP Community	2022-10-02
Core Language Files Translations of the core language files	coreLang	15	release	ZAP Dev Team	2022-02-14
Custom Payloads Ability to add, edit or remove payloads that are used i.e. by active scanners	custompayloads	0.12.0	alpha	ZAP Dev Team	2022-09-23
Database Provides database engines and related infrastructure.	database	0.1.0	alpha	ZAP Dev Team	2022-10-27
Diff Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch	diff	12	beta	ZAP Dev Team	2022-10-27
Directory List v1.0 List of directory names to be used with Forced Browse or Fuzzer add-on.	directorylistv1	5	release	ZAP Dev Team	2021-10-06
Directory List v2.3 Lists of directory names to be used with Forced Browse or Fuzzer add-on.	directorylistv2_3	4	release	ZAP Dev Team	2021-10-07
Directory List v2.3 LC Lists of lower case directory names to be used with Forced Browse or Fuzzer add-on.	directorylistv2_3_lc	4	release	ZAP Dev Team	2021-10-07
DOM XSS Active scanner rule DOM XSS Active scanner rule	domxss	14	release	Aabha Biyani, ZAP Dev Team	2022-10-27
Encoder Adds encode/decode/hash dialog and support for scripted processors as well	encoder	0.7.0	beta	ZAP Dev Team	2022-10-27
Eval Villain Adds the Eval Villain extension to Firefox when launched from ZAP.	evalvillain	0.1.1	alpha	Dennis Goodlett and the ZAP Dev Team	2022-02-15
FileUpload Detect File upload requests and scan them to find related vulnerabilities	fileupload	1.1.0	alpha	KSASAN [email protected]	2021-09-17
Forced Browse Forced browsing of files and directories using code from the OWASP DirBuster tool	bruteforce	12	beta	ZAP Dev Team	2022-10-27
Form Handler This Form Handler Add-on allows a user to define field names and values to be used in a form's fields. Fields can be added, modified, enabled, and deleted for use in form fields.	formhandler	6.1.0	beta	ZAP Dev Team	2022-10-27
FuzzDB Files FuzzDB files which can be used with the ZAP fuzzer	fuzzdb	9	release	ZAP Dev Team	2022-09-23
FuzzDB Offensive FuzzDB web backdoors and attack files which can be used with the ZAP fuzzer or for manual penetration testing	fuzzdboffensive	4	release	ZAP Dev Team	2021-06-11
Fuzzer Advanced fuzzer for manual testing	fuzz	13.8.0	beta	ZAP Dev Team	2022-10-27
Getting Started with ZAP Guide A short Getting Started with ZAP Guide	gettingStarted	14	release	ZAP Dev Team	2022-10-27
GraalVM JavaScript Provides the GraalVM JavaScript engine for ZAP scripting.	graaljs	0.3.0	alpha	ZAP Dev Team	2022-10-27
GraphQL Support Inspect and attack GraphQL endpoints.	graphql	0.12.0	alpha	ZAP Dev Team	2022-11-17
Groovy Support Adds Groovy support to ZAP	groovy	3.1.0	beta	ZAP Dev Team	2021-10-07
Help - Arabic Arabic version of the ZAP help file.	help_ar_SA	1	alpha	ZAP Crowdin Team	2022-01-18
Help - Bosnian Bosnian version of the ZAP help file.	help_bs_BA	9	alpha	ZAP Crowdin Team	2018-02-08
Help - Chinese Simplified Chinese Simplified version of the ZAP help file.	help_zh_CN	3	beta	ZAP Crowdin Team	2022-01-18
Help - English English version of the ZAP help file.	help	15	release	ZAP Crowdin Team	2022-10-27
Help - Filipino Filipino version of the ZAP help file.	help_fil_PH	3	alpha	ZAP Crowdin Team	2022-01-18
Help - French French version of the ZAP help file.	help_fr_FR	10	alpha	ZAP Crowdin Team	2022-01-18
Help - Indonesian Indonesian version of the ZAP help file.	help_id_ID	3	beta	ZAP Crowdin Team	2022-01-18
Help - Japanese Japanese version of the ZAP help file.	help_ja_JP	10	beta	ZAP Crowdin Team	2022-01-18
Help - Malay Malay version of the ZAP help file.	help_ms_MY	1	alpha	ZAP Crowdin Team	2022-01-18
Help - Portuguese, Brazilian Portuguese, Brazilian version of the ZAP help file.	help_pt_BR	11	release	ZAP Crowdin Team	2022-01-18
Help - Russian Russian version of the ZAP help file.	help_ru_RU	2	release	ZAP Crowdin Team	2022-02-24
Help - Spanish Spanish version of the ZAP help file.	help_es_ES	10	release	ZAP Crowdin Team	2022-01-18
Help - Turkish Turkish version of the ZAP help file.	help_tr_TR	2	release	ZAP Crowdin Team	2022-01-18
Highlighter Allows you to highlight strings in the request and response tabs.	highlighter	8	alpha	ZAP Dev Team	2021-10-07
HUD - Heads Up Display Display information from ZAP in browser.	hud	0.15.0	beta	ZAP Dev Team	2022-10-27
Image Location and Privacy Scanner Image Location and Privacy Passive Scanner	imagelocationscanner	4	beta	Jay Ball (veggiespam) and the ZAP Dev Team	2022-09-23
Import/Export Import and Export functionality	exim	0.3.0	beta	ZAP Dev Team & thatsn0tmysite	2022-10-27
Invoke Applications Invoke external applications passing context related information such as URLs and parameters	invoke	12	beta	ZAP Dev Team	2022-10-27
JSON View Adds a view that shows JSON messages nicely formatted	jsonview	2	alpha	Juha Kivekäs	2021-10-07
JWT Support Detect JWT requests and scan them to find related vulnerabilities	jwt	1.0.2	alpha	KSASAN [email protected]	2022-01-22
Kotlin Support Allows Kotlin to be used for ZAP scripting	kotlin	1.1.0	alpha	StackHawk Engineering	2021-10-07
Levo.ai Build OpenAPI Specs with ZAP traffic using Levo.ai.	levoai	0.1.0	alpha	Levo.ai	2022-11-11
Linux WebDrivers Linux WebDrivers for Firefox and Chrome.	webdriverlinux	47	release	ZAP Dev Team	2022-12-01
MacOS WebDrivers MacOS WebDrivers for Firefox and Chrome.	webdrivermacos	48	release	ZAP Dev Team	2022-12-01
Neonmarker Colors history table items based on tags	neonmarker	1.5.0	alpha	Juha Kivekäs, Kingthorin	2022-07-11
Network Provides core networking capabilities.	network	0.5.0	beta	ZAP Dev Team	2022-11-09
OAST Support Allows you to exploit out-of-band vulnerabilities	oast	0.13.0	beta	ZAP Dev Team	2022-10-27
Online menus ZAP Online menu items	onlineMenu	10	release	ZAP Dev Team	2022-10-27
OpenAPI Support Imports and spiders OpenAPI definitions.	openapi	30	beta	ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions	2022-11-15
Parameter Digger Identify hidden, unlinked parameters. Useful for finding web cache poisoning vulnerabilities.	paramdigger	0.1.0	alpha	ZAP Dev Team and Arkaprabha Chakraborty	2022-08-22
Passive scanner rules The release status Passive Scanner rules	pscanrules	44	release	ZAP Dev Team	2022-10-27
Passive scanner rules (alpha) The alpha status Passive Scanner rules	pscanrulesAlpha	37	alpha	ZAP Dev Team	2022-10-27
Passive scanner rules (beta) The beta status Passive Scanner rules	pscanrulesBeta	31	beta	ZAP Dev Team	2022-10-27
Plug-n-Hack Configuration Supports the Mozilla Plug-n-Hack standard: https://developer.mozilla.org/en-US/docs/Plug-n-Hack.	plugnhack	13	beta	ZAP Dev Team	2022-10-27
Port Scanner Allows to port scan a target server	portscan	10	beta	ZAP Dev Team	2022-10-27
Python Scripting Allows Python to be used for ZAP scripting - templates included	jython	12	beta	ZAP Dev Team	2021-10-07
Quick Start Provides a tab which allows you to quickly test a target application	quickstart	35	release	ZAP Dev Team	2022-10-27
Reflect Finds reflected parameters	reflect	0.0.11	alpha	Caleb Kinney	2021-02-19
Regular Expression Tester Allows to test Regular Expressions	regextester	2	alpha	ZAP Dev Team	2021-10-07
Replacer Easy way to replace strings in requests and responses.	replacer	11	release	ZAP Dev Team	2022-10-27
Report Generation Official ZAP Reports.	reports	0.17.0	release	ZAP Dev Team	2022-11-22
Requester Allows to manually edit and send messages.	requester	7.0.0	beta	Surikato and the ZAP Dev Team	2022-10-27
Retest An add-on to retest for presence/absence of previously generated alerts.	retest	0.4.0	alpha	ZAP Dev Team	2022-10-27
Retire.js Retire.js	retire	0.18.0	release	Nikita Mundhada and the ZAP Dev Team	2022-12-02
Reveal Show hidden fields and enable disabled fields	reveal	5	release	ZAP Dev Team	2022-10-27
Revisit Revisit a site at any time in the past using the session history	revisit	4	alpha	ZAP Dev Team	2021-10-07
Ruby Scripting Allows Ruby to be used for ZAP scripting - templates included	jruby	8	beta	ZAP Dev Team	2021-10-07
SAML Support Detect, Show, Edit, Fuzz SAML requests	saml	10	alpha	ZAP Dev Team	2022-10-28
Script Console Supports all JSR 223 scripting languages	scripts	33	release	ZAP Dev Team	2022-10-27
Selenium WebDriver provider and includes HtmlUnit browser	selenium	15.11.0	release	ZAP Dev Team	2022-10-27
Sequence Gives the possibility of defining a sequence of requests to be scanned.	sequence	6	alpha	ZAP Dev Team	2021-10-07
Server-Sent Events Allows you to view Server-Sent Events (SSE) communication.	sse	12	alpha	ZAP Dev Team	2022-10-28
SOAP Support Imports and scans WSDL files containing SOAP endpoints.	soap	16	beta	Alberto (albertov91) + ZAP Dev Team	2022-11-17
Spider Spider used for automatically finding URIs on a site.	spider	0.1.0	release	ZAP Dev Team	2022-10-27
SVN Digger Files SVN Digger files which can be used with ZAP forced browsing	svndigger	4	release	ZAP Dev Team	2021-10-07
Tips and Tricks Display ZAP Tips and Tricks	tips	10	beta	ZAP Dev Team	2022-10-27
Token Generation and Analysis Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection	tokengen	15	beta	ZAP Dev Team	2021-10-07
TreeTools Tools to add functionality to the tree view.	treetools	8	beta	Carl Sampson	2021-10-07
ViewState ASP/JSF ViewState Decoder and Editor	viewstate	3	alpha	Calum Hutton	2021-10-07
Wappalyzer - Technology Detection Technology detection using Wappalyzer: wappalyzer.com	wappalyzer	21.16.0	release	ZAP Dev Team	2022-11-14
WebSockets Allows you to inspect WebSocket communication.	websocket	27	release	ZAP Dev Team	2022-10-27
Windows WebDrivers Windows WebDrivers for Firefox and Chrome.	webdriverwindows	47	release	ZAP Dev Team	2022-12-01
Zest - Graphical Security Scripting Language A graphical security scripting language, ZAPs macro language on steroids	zest	37	beta	ZAP Dev Team	2022-10-27