ZAP Marketplace contains ZAP add-ons which have been written by the ZAP team and the community. The add-ons help to extend the functionalities of ZAP. If you are using the latest version of ZAP then you can browse and download add-ons from within ZAP by clicking on this button in the toolbar:
You can also import the add-ons that you have downloaded manually via the “File / Load Add-on File…” menu option in the ZAP desktop.
Name | Version | Status | Author | Last Updated |
---|---|---|---|---|
Access Control Testing
![]() ![]() Adds a set of tools for testing access control in web applications. |
6 | alpha | ZAP Dev Team | 2020-10-06 |
Active scanner rules
![]() ![]() The release quality Active Scanner rules |
38 | release | ZAP Dev Team | 2020-12-15 |
Active scanner rules (alpha)
![]() ![]() The alpha quality Active Scanner rules |
30 | alpha | ZAP Dev Team | 2020-11-27 |
Active scanner rules (beta)
![]() ![]() The beta quality Active Scanner rules |
33 | beta | ZAP Dev Team | 2020-12-15 |
Advanced SQLInjection Scanner
![]() ![]() An advanced active injection bundle for SQLi (derived by SQLMap) |
13 | beta | Andrea Pompili (Yhawke) | 2019-06-07 |
Ajax Spider
![]() ![]() Allows you to spider sites that make heavy use of JavaScript using Crawljax |
23.3.0 | release | ZAP Dev Team | 2021-03-09 |
Alert Filters
![]() ![]() Allows you to automate the changing of alert risk levels. |
10 | release | ZAP Dev Team | 2020-01-17 |
All In One Notes
![]() ![]() A simple extension to view all notes in one pane. |
1 | alpha | David Vassallo | 2019-06-18 |
AMF
![]() ![]() Adds support for AMF messages |
2 | alpha | ZAP Dev Team | 2017-11-28 |
Attack Surface Detector
![]() ![]() The Attack Surface Detector analyzes web application source code to generate endpoints that can be used for penetration testing. |
1.1.4 | alpha | Secure Decisions (Matthew DeLetto) | 2019-03-07 |
Authentication Statistics
![]() ![]() Records logged in/out statistics for all contexts in scope. |
1 | alpha | ZAP Core Team | 2017-11-28 |
Automation Framework
![]() ![]() Automation Framework. |
0.2.0 | alpha | ZAP Dev Team | 2021-04-12 |
BeanShell Console
![]() ![]() Provides a BeanShell Console |
6 | beta | ZAP Dev Team | 2017-11-27 |
Browser View
![]() ![]() Adds an option to render HTML responses like a browser |
5 | alpha | ZAP Dev Team | 2017-11-28 |
Bug Tracker
![]() ![]() Bug Tracker extension. |
2 | alpha | ZAP Dev Team | 2017-11-28 |
Call Graph
![]() ![]() Allows the user to view a call graph of the selected resources |
4 | alpha | Colm O'Flaherty | 2017-11-28 |
Code Dx Extension
![]() ![]() Includes request and response data in XML reports and provides the ability to upload reports directly to a Code Dx server |
8 | alpha | Code Dx, Inc. | 2019-08-23 |
Common Library
![]() ![]() A common library, for use by other add-ons. |
1.2.0 | release | ZAP Dev Team | 2020-12-15 |
Community Scripts
![]() ![]() Useful ZAP scripts written by the ZAP community. |
9 | alpha | ZAP Community | 2020-01-30 |
Custom Payloads
![]() ![]() Ability to add, edit or remove payloads that are used i.e. by active scanners |
0.9.0 | alpha | ZAP Core Team | 2019-10-31 |
CustomReport
![]() ![]() New HTML report module allows users to customize report content. |
6 | alpha | Chienli Ma | 2020-12-15 |
Diff
![]() ![]() Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch |
10 | beta | ZAP Dev Team | 2020-01-17 |
Directory List v1.0
![]() ![]() List of directory names to be used with Forced Browse or Fuzzer add-on. |
4 | release | ZAP Dev Team | 2020-01-17 |
Directory List v2.3
![]() ![]() Lists of directory names to be used with "Forced Browse" add-on. |
3 | release | ZAP Dev Team | 2017-11-27 |
Directory List v2.3 LC
![]() ![]() Lists of lower case directory names to be used with "Forced Browse" add-on. |
3 | release | ZAP Dev Team | 2017-11-27 |
DOM XSS Active scanner rule
![]() ![]() DOM XSS Active scanner rule |
10 | beta | Aabha Biyani, ZAP Dev Team | 2020-12-15 |
Encoder
![]() ![]() Adds encode/decode/hash dialog and support for scripted processors as well |
0.5.0 | beta | ZAP Dev Team | 2021-02-09 |
Export Report
![]() ![]() Report Export module that allows users to customize content and export in a desired format. |
7 | alpha | Goran Sarenkapa - JordanGS | 2020-12-15 |
Forced Browse
![]() ![]() Forced browsing of files and directories using code from the OWASP DirBuster tool |
10 | beta | ZAP Dev Team | 2020-12-15 |
Form Handler
![]() ![]() This Form Handler Add-on allows a user to define field names and values to be used in a form's fields. Fields can be added, modified, enabled, and deleted for use in form fields. |
3 | beta | ZAP Dev Team | 2020-12-15 |
FuzzDB Files
![]() ![]() FuzzDB files which can be used with the ZAP fuzzer |
7 | release | ZAP Dev Team | 2020-06-30 |
FuzzDB Offensive
![]() ![]() FuzzDB web backdoors and attack files which can be used with the ZAP fuzzer or for manual penetration testing |
3 | release | ZAP Dev Team | 2020-06-30 |
Fuzzer
![]() ![]() Advanced fuzzer for manual testing |
13.1.0 | beta | ZAP Dev Team | 2020-12-15 |
Getting Started with ZAP Guide
![]() ![]() A short Getting Started with ZAP Guide |
12 | release | ZAP Dev Team | 2020-12-15 |
GraalVM JavaScript
![]() ![]() Provides the GraalVM JavaScript engine for ZAP scripting. |
0.1.0 | alpha | ZAP Dev Team | 2020-11-17 |
GraphQL Support
![]() ![]() Inspect and attack GraphQL endpoints. |
0.3.0 | alpha | ZAP Dev Team | 2021-03-30 |
Groovy Support
![]() ![]() Adds Groovy support to ZAP |
3.0.0 | beta | ZAP Dev Team | 2020-12-15 |
Help - Bosnian
![]() Bosnian version of the ZAP help file. |
9 | alpha | ZAP Crowdin Team | 2018-02-08 |
Help - English
![]() ![]() English version of the ZAP help file. |
11 | release | ZAP Crowdin Team | 2020-12-16 |
Help - French
![]() French version of the ZAP help file. |
9 | alpha | ZAP Crowdin Team | 2018-02-08 |
Help - Japanese
![]() Japanese version of the ZAP help file. |
9 | beta | ZAP Crowdin Team | 2018-02-08 |
Help - Portuguese, Brazilian
![]() Portuguese, Brazilian version of the ZAP help file. |
10 | release | ZAP Crowdin Team | 2018-02-08 |
Help - Spanish
![]() Spanish version of the ZAP help file. |
9 | release | ZAP Crowdin Team | 2018-02-08 |
Help - Turkish
![]() Turkish version of the ZAP help file. |
1 | release | ZAP Crowdin Team | 2018-02-08 |
Help Chinese Simplified
![]() Chinese Simplified version of the ZAP help file. |
2 | beta | ZAP Crowdin Team | 2018-02-08 |
Help Filipino
![]() Filipino version of the ZAP help file. |
2 | alpha | ZAP Crowdin Team | 2018-02-08 |
Help Indonesian
![]() Indonesian version of the ZAP help file. |
2 | beta | ZAP Crowdin Team | 2018-02-08 |
Highlighter
![]() ![]() Allows you to highlight strings in the request and response tabs. |
7 | alpha | ZAP Dev Team | 2018-05-30 |
HttpsInfo
![]() ![]() Displays HTTPS configuration information. |
12 | alpha | ZAP Dev Team | 2019-04-26 |
HUD - Heads Up Display
![]() ![]() Display information from ZAP in browser. |
0.12.0 | beta | ZAP Dev Team | 2020-10-15 |
Image Location and Privacy Scanner
![]() ![]() Image Location and Privacy Passive Scanner |
2 | beta | Jay Ball (veggiespam) and the ZAP Dev Team | 2020-07-03 |
Import files containing URLs
![]() ![]() Adds an option to import a file of URLs. The file must be plain text with one URL per line. |
7 | beta | ZAP Dev Team | 2020-01-17 |
Invoke Applications
![]() ![]() Invoke external applications passing context related information such as URLs and parameters |
10 | beta | ZAP Dev Team | 2020-01-17 |
Json view
![]() ![]() Adds a view that shows JSON messages nicely formatted |
1 | alpha | Juha Kivekäs | 2018-02-08 |
JWT Support
![]() ![]() Detect JWT requests and scan them to find related vulnerabilities |
1.0.1 | alpha | KSASAN [email protected] | 2020-12-22 |
Kotlin Support
![]() ![]() Allows Kotlin to be used for ZAP scripting |
1.0.0 | alpha | StackHawk Engineering | 2020-09-14 |
Linux WebDrivers
![]() ![]() Linux WebDrivers for Firefox and Chrome. |
28 | release | ZAP Dev Team | 2021-04-15 |
Log File Importer
![]() ![]() Allows you to import log files from ModSecurity and files previously exported from ZAP |
4 | alpha | ZAP Dev Team | 2017-11-28 |
MacOS WebDrivers
![]() ![]() MacOS WebDrivers for Firefox and Chrome. |
27 | release | ZAP Dev Team | 2021-04-15 |
Neonmarker
![]() ![]() Colors history table items based on tags |
1.3.0 | alpha | Juha Kivekäs, Kingthorin | 2020-09-30 |
Online menus
![]() ![]() ZAP Online menu items |
8 | release | ZAP Dev Team | 2020-12-15 |
OpenAPI Support
![]() ![]() Imports and spiders OpenAPI definitions. |
18 | beta | ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions | 2021-03-09 |
Passive scanner rules
![]() ![]() The release quality Passive Scanner rules |
33 | release | ZAP Dev Team | 2021-01-29 |
Passive scanner rules (alpha)
![]() ![]() The alpha quality Passive Scanner rules |
30 | alpha | ZAP Dev Team | 2021-02-08 |
Passive scanner rules (beta)
![]() ![]() The beta quality Passive Scanner rules |
24 | beta | ZAP Dev Team | 2020-12-15 |
Plug-n-Hack Configuration
![]() ![]() Supports the Mozilla Plug-n-Hack standard: https://developer.mozilla.org/en-US/docs/Plug-n-Hack. |
11 | beta | ZAP Dev Team | 2017-11-27 |
Port Scanner
![]() ![]() Allows to port scan a target server |
8 | beta | ZAP Dev Team | 2017-11-27 |
Python Scripting
![]() ![]() Allows Python to be used for ZAP scripting - templates included |
11 | beta | ZAP Dev Team | 2020-12-15 |
Quick Start
![]() ![]() Provides a tab which allows you to quickly test a target application |
29 | release | ZAP Dev Team | 2020-12-15 |
Reflect
![]() Finds reflected parameters |
0.0.11 | alpha | Caleb Kinney | 2021-02-19 |
Regular Expression Tester
![]() ![]() Allows to test Regular Expressions |
1 | alpha | ZAP Dev Team | 2019-06-20 |
Replacer
![]() ![]() Easy way to replace strings in requests and responses. |
8 | beta | ZAP Dev Team | 2020-01-17 |
Report alert generator
![]() ![]() Allows you to generate reports for alerts you specify in pdf or odt format |
14 | beta | Talsoft SRL | 2017-11-27 |
Report Generation
![]() ![]() Official ZAP Reports. |
0.2.0 | alpha | ZAP Dev Team | 2021-04-12 |
Requester
![]() ![]() Request numbered panel. |
4 | alpha | Surikato | 2020-07-15 |
Retire.js
![]() ![]() Retire.js |
0.7.0 | release | Nikita Mundhada and the ZAP Dev Team | 2021-03-24 |
Reveal
![]() ![]() Show hidden fields and enable disabled fields |
3 | release | ZAP Dev Team | 2020-01-17 |
Revisit
![]() ![]() Revisit a site at any time in the past using the session history |
3 | alpha | ZAP Dev Team | 2017-11-28 |
Ruby Scripting
![]() ![]() Allows Ruby to be used for ZAP scripting - templates included |
7 | beta | ZAP Dev Team | 2020-12-15 |
SAML Extension
![]() ![]() Detect, Show, Edit, Fuzz SAML requests |
8 | alpha | ZAP Dev Team | 2019-08-30 |
Save Raw Message
![]() ![]() Allows to save content of HTTP messages as binary |
5 | release | ZAP Dev Team | 2020-01-17 |
Save XML Message
![]() ![]() Allows to save content of HTTP messages as XML |
0.1.0 | alpha | thatsn0tmysite | 2020-01-17 |
Script Console
![]() ![]() Supports all JSR 223 scripting languages |
28 | beta | ZAP Dev Team | 2020-12-18 |
Selenium
![]() ![]() WebDriver provider and includes HtmlUnit browser |
15.3.0 | release | ZAP Dev Team | 2020-12-15 |
Sequence
![]() ![]() Gives the possibility of defining a sequence of requests to be scanned. |
5 | alpha | ZAP Dev Team | 2017-11-28 |
Server-Sent Events
![]() ![]() Allows you to view Server-Sent Events (SSE) communication. |
9 | alpha | ZAP Dev Team | 2017-11-28 |
SOAP Support
![]() ![]() Imports and scans WSDL files containing SOAP endpoints. |
6 | alpha | Alberto (albertov91) + ZAP Dev Team | 2021-03-30 |
SVN Digger files
![]() ![]() SVN Digger files which can be used with ZAP forced browsing |
3 | beta | ZAP Dev Team | 2017-11-27 |
Tips and Tricks
![]() ![]() Display ZAP Tips and Tricks |
7 | beta | ZAP Dev Team | 2020-01-17 |
TLS Debug
![]() ![]() Provides a tab which allows to quickly debug a TLS/SSL connection |
4 | alpha | P.M.J. Roth | 2020-12-15 |
Token Generation and Analysis
![]() ![]() Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection |
14 | beta | ZAP Dev Team | 2020-12-15 |
TreeTools
![]() ![]() Tools to add functionality to the tree view. |
7 | beta | Carl Sampson | 2017-11-27 |
ViewState
![]() ![]() ASP/JSF ViewState Decoder and Editor |
2 | alpha | Calum Hutton | 2020-07-10 |
Wappalyzer - Technology Detection
![]() ![]() Technology detection using Wappalyzer: wappalyzer.com |
21.1.0 | release | ZAP Dev Team | 2021-03-03 |
WebSockets
![]() ![]() Allows you to inspect WebSocket communication. |
23 | release | ZAP Dev Team | 2020-12-18 |
Windows WebDrivers
![]() ![]() Windows WebDrivers for Firefox and Chrome. |
28 | release | ZAP Dev Team | 2021-04-15 |
Zest - Graphical Security Scripting Language
![]() ![]() A graphical security scripting language, ZAPs macro language on steroids |
33 | beta | ZAP Dev Team | 2020-11-27 |