Last Posted Tuesday May 23, 2023
There is now a really easy way to check if ZAP can handle your app’s authentication.
Last Posted Wednesday May 3, 2023
April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!
Last Posted Tuesday May 2, 2023
ZAP can now automatically detect and configure itself to handle common authentication mechanisms.
Last Posted Thursday March 9, 2023
We would love to be able to make ZAP even better for you - your feedback on how that could be funded would be appreciated!
Last Posted Thursday February 2, 2023
The January 2023 updates including authentication improvements and future plans.
Last Posted Wednesday February 1, 2023
How to configure ZAP to handle complex authentication using Selenium.
Last Posted Thursday January 19, 2023
Handling authentication in automation is hard, but help is on its way.
Last Posted Tuesday January 3, 2023
A summary of everything ZAP related that happened in 2022.
Last Posted Saturday December 24, 2022
A reply to an excellent blog series from Secure Ideas: Twelve Days of ZAPmas - ZAP impressions from a Burp user.
Last Posted Thursday December 1, 2022
The November 2022 updates, following the 2.12.0 release.
Last Posted Thursday November 3, 2022
See the data behind the most popular active scan rules every month
Last Posted Thursday October 27, 2022
ZAP 2.12.0 has just been released, and as the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the Ten Thousand Star Release
Last Posted Friday September 30, 2022
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!
Last Posted Wednesday September 14, 2022
Simon’s work on ZAP is now sponsored by Jit.
Last Posted Wednesday August 31, 2022
All of the things that have been happening related to ZAP in August 2022.
Last Posted Thursday July 21, 2022
I’ve always had side projects but at that time I had never contributed to open source. I decided it was a good time to start contributing, so I looked around for an open source security tool with an active community.
Unfortunately I couldn’t find one.
OWASP had WebScarab, but I didn’t really get on with that, and in any case development on that seemed to have stopped.
Last Posted Thursday July 21, 2022
In 2009 I was a Java developer / team leader and led a small team which developed an online service for a major accounting software company.
As this service was considered to be security critical I insisted that an external pentest team was hired to ensure the software was suitably secure.
Last Posted Thursday July 21, 2022
While I was still finalising the first ZAP release someone else beat me to it 😟.
After years of being neglected, Paros was also forked by Axel Neumann who called his version AndiParos.
I’ll have to admit that I was very disheartened and seriously considered abandoning my plans for ZAP.
Last Posted Thursday July 21, 2022
I find naming things hard. It is easier if the tool has a very specific purpose, but ZAP has lots of uses.
When I was a developer I always wrote command line scripts. If I thought I might need them again then I would call them something sensible, something that would help me find them again.
Last Posted Friday June 17, 2022
Has ZAP helped you? Now it is your turn to help ZAP.
Last Posted Tuesday May 10, 2022
An add-on aimed squarely at the pentesters.
Last Posted Monday April 4, 2022
How to detect Spring4Shell with the new Spring4Shell Alpha Active Scan Rule.
Last Posted Tuesday March 22, 2022
StackHawk has launched a $100,000 ZAP Fund dedicated to improving ZAP and the ZAP Community.
Last Posted Wednesday February 16, 2022
I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.
Last Posted Thursday February 10, 2022
The ZAP Weekly and Live releases have an all new networking layer.
Last Posted Friday December 17, 2021
ZAPCon is returning for its second year! The second annual ZAP user conference will take place on March 8, 2022 and the Call for Papers is open!.
Last Posted Friday December 10, 2021
ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.
Last Posted Friday November 26, 2021
You can now launch your favourite browsers from ZAP with your favourite extensions.
Last Posted Wednesday November 24, 2021
ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.
Last Posted Monday October 25, 2021
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.
Last Posted Thursday October 7, 2021
ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.
Major changes include:
Alert Tags Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.
All of the active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017.
Last Posted Tuesday June 29, 2021
The results of the Community Questionnaire which we ran during the first half of 2021.
Last Posted Tuesday June 15, 2021
Important information for anyone who uses the baseline scan in the Live or Weekly Docker images.
Last Posted Monday April 19, 2021
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.
Last Posted Friday March 12, 2021
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.
Last Posted Thursday March 4, 2021
Last Posted Wednesday February 3, 2021
You can access the ZAP Desktop even when it is running in Docker, and that means you do not have to install Java if you do not want to.
Last Posted Thursday January 28, 2021
Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!
Last Posted Monday December 21, 2020
ZAP 2.10.0 has just been released so we’re treating this as a belated 10 year anniversary release!
Last Posted Tuesday September 22, 2020
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.
Last Posted Sunday September 6, 2020
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.
Last Posted Thursday April 2, 2020
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)
However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?
Last Posted Wednesday March 4, 2020
We release ZAP every week: https://www.zaproxy.org/download/#weekly
We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:
It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:
Last Posted Monday March 2, 2020
OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/
Because we now have a new website we’ve decided to move our blog from https://zaproxy.
Last Posted Tuesday August 22, 2017
We have just released a new feature for ZAP that allows you to launch browsers from within ZAP. The browsers are automatically configured to proxy via ZAP and ignore certificate warnings, making it much easier for people to get started with ZAP as well as for more experienced users who want to use ZAP with a variety of browsers.
Last Posted Monday June 19, 2017
The previous ZAP blog post explained how you could Explore APIs with ZAP.
This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line.
This allows you to easily automate the scanning of your APIs.
Last Posted Monday April 3, 2017
APIs can be challenging for security testing for a variety of reasons.
The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques.
However many APIs are described using technologies such as:
SOAP OpenAPI / Swagger These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.
Last Posted Monday February 6, 2017
As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them. ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future.
Last Posted Monday August 22, 2016
Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase.
Last Posted Friday June 3, 2016
ZAP 2.5.0 is now available.
This release contains a large number of enhancements and fixes which are detailed in the release notes.
API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
Last Posted Tuesday March 29, 2016
Introduction Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting.
News The big new this month is that ZAP was voted the TOP free/open source security tool for 2015 by Toolswatch readers: https://www.
Last Posted Friday February 19, 2016
Introduction Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;)
News We have started another user questionnaire. We ran one 2 years ago - the answers were very helpful and definitely shaped the direction ZAP is now taking.
Last Posted Monday January 4, 2016
Introduction Happy New Year!
For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.
Last Posted Tuesday December 15, 2015
Introduction Welcome to the second ZAP Newsletter.
And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week.
News The big news is that ZAP 2.4.3 is now available to download.
This is a development and bugfix release, for more details of all of the changes see the release notes.
Last Posted Monday November 2, 2015
Introduction Welcome to the first monthly ZAP newsletter.
We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools.
We also encourage contributions from people like yourself - see the last section for details.
Last Posted Tuesday October 6, 2015
The first online ZAP Q&A Session was held on Tuesday 13th October.
You can listen to a recording of the session here.
Please leave feedback via this Google Form.
Some links to resources mentioned in the session or related to the questions:
The DOM XSS add-on The Context Alert Filters add-on The Revisit Add-on The Access Control add-on The vulnerabilities detected by ZAP How to set up form based authentication The community-scripts repo Note that you can download add-ons from within ZAP via the Marketplace.
Last Posted Wednesday May 27, 2015
At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS).
The slides are here and the video will hopefully be available soon.
The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode.
This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.
Last Posted Wednesday April 30, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #3 - Passive scan rules
Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user.
Last Posted Thursday April 3, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #2 - Getting Started
One of the easiest ways to enhance ZAP is to write new passive scan rules.
Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.
Last Posted Thursday March 20, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #1 - Why should you?
In order to change the ZAP source code you will need to set up a development environment.
Requirements The following software is used/required to obtain and build ZAP (core) and the add-ons:
Last Posted Monday March 10, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool.
Last Posted Monday December 10, 2012
We are getting close to releasing the next major version of ZAP.
As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).
This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.
Last Posted Monday October 22, 2012
I’ve been struggling with the question of ZAP releases.
We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.
Last Posted Thursday September 13, 2012
The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it.