Tag: Blog

ZAP Updates - November 2024

Posted 561 Words
A brand new Scan Policies add-on, how to integrate ZAP with OWASP Noir and ZAP 2.16.0 is getting very close..

Powering Up DAST with ZAP and Noir

Posted 732 Words
Integrating Noir, a tool for discovering hidden endpoints in source code, with ZAP enhances dynamic application security testing (DAST).

ZAP Updates - October 2024

Posted 959 Words
ZAP Updates are back after a small break. Read about the updates from October, including an upgrade to Java 17, scanning of sequenced requests, a potential LLM integration, and more.

ZAP Has Joined Forces With Checkmarx

Posted 362 Words
This is a huge investment (and vote of confidence) in ZAP and will secure the project’s future success.

Polyfill.io Script Detection

Posted 360 Words
A new scan rule which allows you to find out which of your sites are loading scripts from polyfill.io really quickly.

ZAP Updates - May 2024

Posted 1330 Words
It was another “full release” month, with 2.15.0 and a brand new add-on for gRPC support.

ZAP 2.15.0

Posted 461 Words
ZAP 2.15.0 has just been released, and adds support for scripts as first class scan rules, restructured desktop menu items, and more…

ZAP Updates - April 2024

Posted 1129 Words
ZAP professional services, a new Docker Hub org, a new GitHub Action and 2.15.0 is coming soon.

ZAP Professional Services!

Posted 149 Words
ZAP Professional Services are now available, delivered by key members of the ZAP Core Team. Money raised from these services will help fund ZAP development.

ZAP Updates - March 2024

Posted 1190 Words
ZAP funding, the Open Source Fellowship, ZAProxy Ltd, script scan rules as first class scan rules.

Support Changes

Posted 230 Words
Changes that we are having to put in place regarding ZAP support.

ZAP Updates - February 2024

Posted 1000 Words
Restructured desktop menus, OWASP Docker Hub depreciation, Funding, and GSoC.

ZAP Professional Services?

Posted 410 Words
Would you be interested in ZAP based professional services? If so please get in touch.

ZAP Updates - January 2024

Posted 1616 Words
ZAP funding investigations, a CLA and Google Summer of Code.

2023 in Review

Posted 290 Words
A summary of everything ZAP related that happened in 2023.

Discovering Our Users - The ZAP User Personas Questionnaire

Posted 277 Words
Join our journey to tailor ZAP for every user, by sharing your unique insights and experiences. Your perspective is the key to unlocking ZAP’s full potential for everyone in the cybersecurity community.

Automated ZAP Scans for Orchard Core Apps

Posted 542 Words
If you have an app running on the ASP.NET Core web framework and CMS Orchard Core, you can now easily run ZAP scans for it.

ZAP Technology Support

Posted 601 Words
How you can tell ZAP which technology your target uses, and why it can be a really good idea.

ZAP Updates - October 2023

Posted 1443 Words
A new ZAP version, a CLI feature to do quick reconnaissance, and more!

Map Local Add-on

Posted 314 Words
Allows mapping of responses to content of chosen local file.

ZAPit

Posted 231 Words
Want to find out as much info about a URL as possible really quickly? Then ZAPit!

ZAP 2.14.0

Posted 633 Words
ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…

ZAP Updates - September 2023

Posted 965 Words
Both of our GSoC students completed their projects, and we started a new video series.

Postman Add-on

Posted 409 Words
Import Postman collections with the new Postman add-on for ZAP.

ZAP Chat Video Series

Posted 101 Words
We have just started a new series of videos called ZAP Chat which focus on ZAP features, new and old.

GSoC 2023 Browser Recorder

Posted 1374 Words
ZAP has introduced a new feature to record pre-task activities such as logging in etc. using Browser Recorder.

What Should We Focus On?

Posted 314 Words
We want your input on what we should focus on as part of ZAP development.

Community - Tips and Tricks

Posted 120 Words
News about a community area to contribute ZAP usage tips and tricks.

ZAP 2.13.0

Posted 547 Words
ZAP 2.13.0 has just been released, and adds support for HTTP/2, improved authentication handling and Mac Silicon.

ZAP Updates - June 2023

Posted 894 Words
June 2023 updates and ongoing feature development statuses.

ZAP Updates - May 2023

Posted 1222 Words
May 2023 updates and ongoing feature development statuses.

Authentication Tester Dialog

Posted 428 Words
There is now a really easy way to check if ZAP can handle your app’s authentication.

ZAP Updates - April 2023

Posted 1034 Words
April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!

Authentication Auto-Detection

Posted 1342 Words
ZAP can now automatically detect and configure itself to handle common authentication mechanisms.

ZAP Updates - March 2023

Posted 1155 Words
March 2023 updates and ongoing feature development statuses.

How Should We Fund ZAP Development?

Posted 349 Words
We would love to be able to make ZAP even better for you - your feedback on how that could be funded would be appreciated!

ZAP Updates 2023 January

Posted 616 Words
The January 2023 updates including authentication improvements and future plans.

Authenticating Using Selenium

Posted 1415 Words
How to configure ZAP to handle complex authentication using Selenium.

Authentication Help

Posted 977 Words
Handling authentication in automation is hard, but help is on its way.

2022 in Review

Posted 565 Words
A summary of everything ZAP related that happened in 2022.

ZAP Updates 2022 November

Posted 900 Words
The November 2022 updates, following the 2.12.0 release.

ZAP Updates 2022 September

Posted 1716 Words
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!

Hacking ZAP - ZAP Extender Scripts

Posted 658 Words
An overview of ZAP Extender scripts with examples. Use ZAP as a web server, subscribe to internal ZAP events, and more!

ZAP Updates 2022 August

Posted 1027 Words
All of the things that have been happening related to ZAP in August 2022.

The Requester Add-on

Posted 196 Words
An add-on aimed squarely at the pentesters.

ZAPCon 2022 Schedule is Now Live

Posted 236 Words
I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.

New ZAP Networking Layer

Posted 419 Words
The ZAP Weekly and Live releases have an all new networking layer.

Log4Shell Detection with ZAP

Posted 1081 Words
A walkthrough of using the new Log4Shell Alpha Active Scan rule with the ZAP Automation Framework.

ZAP and Log4Shell

Posted 300 Words
ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.

The Eval Villain Add-on

Posted 1560 Words
Eval Villain was recently added to the ZAP Marketplace. This add-on installs the Eval Villain web extension in Firefox and allows the inspection of arguments to arbitrary native JavaScript functions.

OWASP Outstanding Project 2021

Posted 86 Words
ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.

ZAP Telemetry Plans

Posted 591 Words
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.

ZAP 2.11.0

Posted 490 Words

ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.

Major changes include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.

Retesting alerts with OWASP ZAP

Posted 788 Words
An overview of the features of the Retest add-on for OWASP ZAP. This add-on allows you to retest for previously generated alerts.

ZAP FileUpload Add-on

Posted 610 Words

Overview

File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe. Generally file upload functionality is quite complex to automate and has huge attack surface hence there is a need to automate the process and also secure it. So the FileUpload add-on has scan rule which is used to find vulnerabilities in file upload functionality and this blog explains on how to use it.

Collecting Statistics for Open Source Projects

Posted 1841 Words
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.

ZAP 2.10 Features

Posted 939 Words
Do you know what interesting bits were added to ZAP 2.10.0? Don’t read release notes? This blog post is for you! Dark mode, Expand/Collapse top panes, Custom pages, Scriptable encode/decode/hash, Authentication polling, Auth header via ENV vars, Site tree control, and more.

ZAP Report Competition

Posted 1068 Words
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.

1st Ever ZAPCon - Call For Papers

Posted 185 Words
Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!

Sites Tree Modifiers

Posted 1169 Words
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.

ZAP Tags

Posted 282 Words
How to give some colours to ZAP’s History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.

ZAP is Ten Years Old

Posted 490 Words
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.

ZAP JWT Support Add-on

Posted 423 Words

With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.

Introducing the GraphQL Add-on for ZAP

Posted 889 Words

GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap.

The add-on is still in an early stage, so the range of its functionality is limited. However, you can combine it with existing ZAP functionality to abuse GraphQL endpoints in many different ways.

ZAP 2.9 Highlights

Posted 953 Words
Do you know what interesting bits were added to ZAP 2.9.0? Don’t read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.

Dynamic Application Security Testing with ZAP and GitHub Actions

Posted 598 Words

zap-action

ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application. However, unlike the baseline scan, ZAP full scan attacks the web application to find additional vulnerabilities.

Customize Alert Details

Posted 381 Words

Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises?

Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.

Automate Security Testing with ZAP and GitHub Actions

Posted 741 Words

zap-action

With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.

Is ZAP the World’s most Popular Web Scanner?

Posted 394 Words

I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)

However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?

ZAP SSRF Setup

Posted 604 Words

Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint. In many cases the computer running ZAP is behind some kind of NAT and doesn’t have a public IP so it will not receive the expected callbacks and miss some of the existent vulnerabilities.

Dark Mode in the Weekly Release

Posted 110 Words

We release ZAP every week: https://www.zaproxy.org/download/#weekly

We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:

It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:

The ZAP Blog has Moved

Posted 173 Words

OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/

Because we now have a new website we’ve decided to move our blog from https://zaproxy.blogspot.com/ to https://zaproxy.org/blog/. As part of that move all of the old blog posts have been moved to the new site and updated to fix some of the links that had broken.

ZAP 2.5.0

Posted 362 Words

ZAP 2.5.0 is now available.

This release contains a large number of enhancements and fixes which are detailed in the release notes.

API changes

There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

Posted 793 Words

We are getting close to releasing the next major version of ZAP.

As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).

This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

ZAP Weekly Releases

Posted 485 Words

I’ve been struggling with the question of ZAP releases.
We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.
I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.