The ZAP Blog

ZAP Updates 2022 November

Posted 900 Words
The November 2022 updates, following the 2.12.0 release.

ZAP Updates 2022 September

Posted 1716 Words
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!

Hacking ZAP - ZAP Extender Scripts

Posted 658 Words
An overview of ZAP Extender scripts with examples. Use ZAP as a web server, subscribe to internal ZAP events, and more!

ZAP Updates 2022 August

Posted 1027 Words
All of the things that have been happening related to ZAP in August 2022.

Spider News

Posted 559 Words
News about changes to the Traditional Spider for the up-coming release.

The Requester Add-on

Posted 196 Words
An add-on aimed squarely at the pentesters.

The StackHawk ZAP Fund

Posted 444 Words
StackHawk has launched a $100,000 ZAP Fund dedicated to improving ZAP and the ZAP Community.

ZAPCon 2022 Schedule is Now Live

Posted 236 Words
I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.

New ZAP Networking Layer

Posted 427 Words
The ZAP Weekly and Live releases have an all new networking layer.

Log4Shell Detection with ZAP

Posted 1081 Words
A walkthrough of using the new Log4Shell Alpha Active Scan rule with the ZAP Automation Framework.

ZAP and Log4Shell

Posted 300 Words
ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.

The Eval Villain Add-on

Posted 1560 Words
Eval Villain was recently added to the ZAP Marketplace. This add-on installs the Eval Villain web extension in Firefox and allows the inspection of arguments to arbitrary native JavaScript functions.

OWASP Outstanding Project 2021

Posted 86 Words
ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.

ZAP Telemetry Plans

Posted 591 Words
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.

ZAP 2.11.0

Posted 490 Words
ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now. Major changes include: Alert Tags Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API. All of the active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017.

Retesting alerts with OWASP ZAP

Posted 788 Words
An overview of the features of the Retest add-on for OWASP ZAP. This add-on allows you to retest for previously generated alerts.

ZAP FileUpload Add-on

Posted 610 Words
Overview File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.

Community Questionnaire Results

Posted 1305 Words
The results of the Community Questionnaire which we ran during the first half of 2021.

Baseline Scan Changes

Posted 831 Words
Important information for anyone who uses the baseline scan in the Live or Weekly Docker images.

Collecting Statistics for Open Source Projects

Posted 1841 Words
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.

ZAP 2.10 Features

Posted 939 Words
Do you know what interesting bits were added to ZAP 2.10.0? Don’t read release notes? This blog post is for you! Dark mode, Expand/Collapse top panes, Custom pages, Scriptable encode/decode/hash, Authentication polling, Auth header via ENV vars, Site tree control, and more.

ZAP Report Competition

Posted 1068 Words
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.

1st Ever ZAPCon - Call For Papers

Posted 185 Words
Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!

Sites Tree Modifiers

Posted 1169 Words
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.

ZAP Tags

Posted 282 Words
How to give some colours to ZAP’s History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.

ZAP is Ten Years Old

Posted 490 Words
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.

ZAP JWT Support Add-on

Posted 423 Words
With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.

Introducing the GraphQL Add-on for ZAP

Posted 889 Words
GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap. The add-on is still in an early stage, so the range of its functionality is limited.

ZAP 2.9 Highlights

Posted 953 Words
Do you know what interesting bits were added to ZAP 2.9.0? Don’t read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.

Dynamic Application Security Testing with ZAP and GitHub Actions

Posted 598 Words
ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application.

Customize Alert Details

Posted 381 Words
Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises? Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.

Automate Security Testing with ZAP and GitHub Actions

Posted 741 Words
With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.

Is ZAP the World’s most Popular Web Scanner?

Posted 394 Words
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :) However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?

ZAP SSRF Setup

Posted 604 Words
Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint.

Dark Mode in the Weekly Release

Posted 110 Words
We release ZAP every week: https://www.zaproxy.org/download/#weekly We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI: It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:

The ZAP Blog has Moved

Posted 173 Words
OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/ Because we now have a new website we’ve decided to move our blog from https://zaproxy.

ZAP Browser Launch

Posted 183 Words
We have just released a new feature for ZAP that allows you to launch browsers from within ZAP. The browsers are automatically configured to proxy via ZAP and ignore certificate warnings, making it much easier for people to get started with ZAP as well as for more experienced users who want to use ZAP with a variety of browsers.

Scanning APIs with ZAP

Posted 1100 Words
The previous ZAP blog post explained how you could Explore APIs with ZAP. This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line. This allows you to easily automate the scanning of your APIs.

Exploring APIs with ZAP

Posted 486 Words
APIs can be challenging for security testing for a variety of reasons. The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques. However many APIs are described using technologies such as: SOAP OpenAPI / Swagger These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.

Introducing the JxBrowser add-on for ZAP

Posted 594 Words
As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them. ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future.

Announcing the ZAP Jenkins Plugin

Posted 463 Words
Using ZAP during the development process is now easier than ever. We are proud to present the Jenkins plugin, it extends the functionality of the ZAP security tool into a CI Environment. The process explained A Jenkins CI Build step initializes ZAP Traffic flows (Regression Pack) through ZAP (Web Proxy) ZAP modifies requests to include Vulnerability Tests Target Application/Server sends Response back through ZAP ZAP sends reporting data back to Jenkins Jenkins publishes and archives the report(s) Jenkins creates JIRA tickets for the alerts The ZAP Jenkins plugin makes use of the readily available and diverse ZAP API, allowing you to use the same session files and scan policy profiles between ZAP and the Jenkins plugin, so they can be interchangeably loaded.

Announcing ZAP Unit Test Bounties

Posted 490 Words
Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase.

ZAP 2.5.0

Posted 362 Words
ZAP 2.5.0 is now available. This release contains a large number of enhancements and fixes which are detailed in the release notes. API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.

ZAP Newsletter - 2016 March

Posted 1791 Words
Introduction Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting. News The big new this month is that ZAP was voted the TOP free/open source security tool for 2015 by Toolswatch readers: https://www.

ZAP Newsletter - 2016 February

Posted 3246 Words
Introduction Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;) News We have started another user questionnaire. We ran one 2 years ago - the answers were very helpful and definitely shaped the direction ZAP is now taking.

ZAP Newsletter - 2016 January

Posted 1796 Words
Introduction Happy New Year! For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.

ZAP Newsletter - 2015 December

Posted 1863 Words
Introduction Welcome to the second ZAP Newsletter. And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week. News The big news is that ZAP 2.4.3 is now available to download. This is a development and bugfix release, for more details of all of the changes see the release notes.

ZAP Newsletter - 2015 November

Posted 2533 Words
Introduction Welcome to the first monthly ZAP newsletter. We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools. We also encourage contributions from people like yourself - see the last section for details.

ZAP Q&A Session - Tuesday 13th October 2015

Posted 577 Words
The first online ZAP Q&A Session was held on Tuesday 13th October. You can listen to a recording of the session here. Please leave feedback via this Google Form. Some links to resources mentioned in the session or related to the questions: The DOM XSS add-on The Context Alert Filters add-on The Revisit Add-on The Access Control add-on The vulnerabilities detected by ZAP How to set up form based authentication The community-scripts repo Note that you can download add-ons from within ZAP via the Marketplace.

ZAP as a Service (ZaaS)

Posted 1124 Words
At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS). The slides are here and the video will hopefully be available soon. The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode. This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.

Alberto's GSoC 2014 Project for ZAP SOAP Scanner Add-On

Posted 325 Words
Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner add-on for ZAP, in which I worked during all the Program. Let me explain you the features it includes.

Hacking ZAP #4 - Active scan rules

Posted 1031 Words
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #3 - Passive scan rules Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user.

Hacking ZAP #3 - Passive scan rules

Posted 1253 Words
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #2 - Getting Started One of the easiest ways to enhance ZAP is to write new passive scan rules. Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.

Hacking ZAP #2 - Getting Started

Posted 713 Words
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. The previous post in this series is: Hacking ZAP #1 - Why should you? In order to change the ZAP source code you will need to set up a development environment. Requirements The following software is used/required to obtain and build ZAP (core) and the add-ons:

Hacking ZAP #1 - Why should you?

Posted 956 Words
Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”. ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool.

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

Posted 793 Words
We are getting close to releasing the next major version of ZAP. As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC). This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

ZAP Weekly Releases

Posted 485 Words
I’ve been struggling with the question of ZAP releases. We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible. But I also want to make sure our ‘full’ releases remain as robust and stable as possible.

OWASP ZAP – the Firefox of web security tools

Posted 909 Words
The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it.