The ZAP Blog

Automate Security Testing with ZAP and GitHub Actions

Thu Apr 9, 2020
With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks. GitHub Actions make it easier to automate how to scan and secure web applications at scale.

Is ZAP the World’s most Popular Web Scanner?

Thu Apr 2, 2020
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :) However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well? That is actually pretty hard to tell - ZAP is a free tool that anyone can download, so determining how many users we really have is difficult.

ZAP SSRF Setup

Mon Mar 9, 2020
Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint. In many cases the computer running ZAP is behind some kind of NAT and doesn’t have a public IP so it will not receive the expected callbacks and miss some of the existent vulnerabilities.

Dark Mode in the Weekly Release

Wed Mar 4, 2020
We release ZAP every week: https://www.zaproxy.org/download/#weekly We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI: It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release: Open up the ZAP Options Select the Display screen Select either ‘Flat Dark’ or ‘Flat Darcula’ Restart ZAP If you want to see the progress on fixing the known issues, or to report any more, have a look at this issue: https://github.

The ZAP Blog has Moved

Mon Mar 2, 2020
OK, OK, it's been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we've published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/ Because we now have a new website we've decided to move our blog from https://zaproxy.blogspot.com/ to https://zaproxy.org/blog/. As part of that move all of the old blog posts have been moved to the new site and updated to fix some of the links that had broken.

ZAP Browser Launch

Tue Aug 22, 2017
We have just released a new feature for ZAP that allows you to launch browsers from within ZAP. The browsers are automatically configured to proxy via ZAP and ignore certificate warnings, making it much easier for people to get started with ZAP as well as for more experienced users who want to use ZAP with a variety of browsers. You can install and use Browser Launch right now via the ZAP Marketplace, which can be accessed via the ‘Manage Add-ons’ button in ZAP:

Scanning APIs with ZAP

Mon Jun 19, 2017
The previous ZAP blog post explained how you could Explore APIs with ZAP. This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line. This allows you to easily automate the scanning of your APIs. Following the approach taken by the Baseline Scan we have introduced a new API scanning script which has only one dependency – Docker.

Exploring APIs with ZAP

Mon Apr 3, 2017
APIs can be challenging for security testing for a variety of reasons. The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques. However many APIs are described using technologies such as: SOAP OpenAPI / Swagger These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons. Installing the add-ons In order to import the API definitions you will need to add the relevant add-ons from the ZAP Marketplace.

Introducing the JxBrowser add-on for ZAP

Mon Feb 6, 2017
As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them. ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future. To that end we are planning on releasing a new ZAP add-on which will contain JxBrowser, a wrapper around Chromium.

Announcing the ZAP Jenkins Plugin

Tue Nov 22, 2016
Using ZAP during the development process is now easier than ever. We are proud to present the Jenkins plugin, it extends the functionality of the ZAP security tool into a CI Environment. The process explained A Jenkins CI Build step initializes ZAP Traffic flows (Regression Pack) through ZAP (Web Proxy) ZAP modifies requests to include Vulnerability Tests Target Application/Server sends Response back through ZAP ZAP sends reporting data back to Jenkins Jenkins publishes and archives the report(s) Jenkins creates JIRA tickets for the alerts The ZAP Jenkins plugin makes use of the readily available and diverse ZAP API, allowing you to use the same session files and scan policy profiles between ZAP and the Jenkins plugin, so they can be interchangeably loaded.

Announcing ZAP Unit Test Bounties

Mon Aug 22, 2016
Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase. We are going to start with the passive scan rules (release and beta quality). These are all defined in the zap-extensions main packages:

ZAP 2.5.0

Fri Jun 3, 2016
ZAP 2.5.0 is now available. This release contains a large number of enhancements and fixes which are detailed in the release notes. API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes. The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.

ZAP Newsletter - 2016 March

Tue Mar 29, 2016
Introduction Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting. News The big new this month is that ZAP was voted the TOP free/open source security tool for 2015 by Toolswatch readers: https://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ This is the second time we've come top and is a great validation of what we are doing. Thank you to all of you who voted for us!

ZAP Newsletter - 2016 February

Fri Feb 19, 2016
Introduction Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;) News We have started another user questionnaire. We ran one 2 years ago - the answers were very helpful and definitely shaped the direction ZAP is now taking. So if you want your voice to be heard then please fill it in. Both OWASP and Mozilla will be applying to take part in Google Summer of Code this year.

ZAP Newsletter - 2016 January

Mon Jan 4, 2016
Introduction Happy New Year! For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it. News Steve Springett (@stevespringett) has implemented a ZAP Sonar plugin which integrates ZAP into SonarQube v5.1 or higher. He’s also looking for anyone interested in maintaining this going forwards, so please have a play with it and get in touch with Steve and/or myself if you might be interested in keeping it going.

ZAP Newsletter - 2015 December

Tue Dec 15, 2015
Introduction Welcome to the second ZAP Newsletter. And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week. News The big news is that ZAP 2.4.3 is now available to download. This is a development and bugfix release, for more details of all of the changes see the release notes. In other news, you can now buy ZAP stickers on StickerMule (UPDATE: no longer available).

ZAP Newsletter - 2015 November

Mon Nov 2, 2015
Introduction Welcome to the first monthly ZAP newsletter. We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools. We also encourage contributions from people like yourself - see the last section for details. Oh, and please let us know what you think of this newsletter via the Feedback Form! News The big news this month is that we will be releasing ZAP 2.

ZAP Q&A Session - Tuesday 13th October 2015

Tue Oct 6, 2015
The first online ZAP Q&A Session was held on Tuesday 13th October. You can listen to a recording of the session here. Please leave feedback via this Google Form. Some links to resources mentioned in the session or related to the questions: The DOM XSS add-on The Context Alert Filters add-on The Revisit Add-on The Access Control add-on The vulnerabilities detected by ZAP How to set up form based authentication The community-scripts repo Note that you can download add-ons from within ZAP via the Marketplace.

ZAP as a Service (ZaaS)

Wed May 27, 2015
At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS). The slides are here and the video will hopefully be available soon. The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode. This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.

Alberto's GSoC 2014 Project for ZAP SOAP Scanner Add-On

Wed Sep 3, 2014
Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner add-on for ZAP, in which I worked during all the Program. Let me explain you the features it includes. One of the interesting features this add-on provides is WSDL file scanning. Until now, ZAP could find these kind of files and it could even search URLs inside them, but further petitions to these URLs had not a valid SOAP format specified by the WSDL file.

Hacking ZAP #4 - Active scan rules

Wed Apr 30, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #3 - Passive scan rules Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user. You should only use active scan rules against applications that you have permission to attack.

Hacking ZAP #3 - Passive scan rules

Thu Apr 3, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #2 - Getting Started One of the easiest ways to enhance ZAP is to write new passive scan rules. Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.

Hacking ZAP #2 - Getting Started

Thu Mar 20, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #1 - Why should you? In order to change the ZAP source code you will need to set up a development environment. Requirements The following software is used/required to obtain and build ZAP (core) and the add-ons: A JDK (minimum version 8), for example, Zulu JDK or AdoptOpenJDK; Git, to obtain the source code; Gradle, to build the source code.

Hacking ZAP #1 - Why should you?

Mon Mar 10, 2014
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool. It is being continually enhanced and, unusually for a security tool, has been translated into over 25 languages thanks to over 70 translators.

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

Mon Dec 10, 2012
We are getting close to releasing the next major version of ZAP. As there are so many changes we've decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC). This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success. In this post I'll give you an overview of the 3 GSoC projects, and an easy way to try them out if you can't wait for the full release.

ZAP Weekly Releases

Mon Oct 22, 2012
I've been struggling with the question of ZAP releases. We've made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible. But I also want to make sure our ‘full’ releases remain as robust and stable as possible. I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.

OWASP ZAP – the Firefox of web security tools

Thu Sep 13, 2012
The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP.