Posted Monday March 18, 2024
230 Words
Changes that we are having to put in place regarding ZAP support.
Posted Wednesday March 13, 2024
1689 Words
ZAP is now supported by the Crash Override Open Source Fellowship!
Posted Monday March 11, 2024
751 Words
Unveiling the ZAP User Personas - Insights from Our Community
Posted Monday March 4, 2024
1000 Words
Restructured desktop menus, OWASP Docker Hub depreciation, Funding, and GSoC.
Posted Monday February 19, 2024
410 Words
Would you be interested in ZAP based professional services? If so please get in touch.
Posted Friday February 2, 2024
1616 Words
ZAP funding investigations, a CLA and Google Summer of Code.
Posted Tuesday January 23, 2024
403 Words
We are introducing a Contributor License Agreement to cover all ZAP contributions.
Posted Wednesday January 3, 2024
290 Words
A summary of everything ZAP related that happened in 2023.
Posted Thursday December 21, 2023
277 Words
Join our journey to tailor ZAP for every user, by sharing your unique insights and experiences. Your perspective is the key to unlocking ZAP’s full potential for everyone in the cybersecurity community.
Posted Friday December 8, 2023
542 Words
If you have an app running on the ASP.NET Core web framework and CMS Orchard Core, you can now easily run ZAP scans for it.
Posted Monday December 4, 2023
607 Words
The questionnaire results, and what we’re doing about the things you care about most.
Posted Friday December 1, 2023
1081 Words
Improved modern web app handling and lots of videos.
Posted Monday November 20, 2023
601 Words
How you can tell ZAP which technology your target uses, and why it can be a really good idea.
Posted Friday November 3, 2023
794 Words
Introducing a new add-on which allows ZAP (and you) to see what is going on in the browser.
Posted Thursday November 2, 2023
1443 Words
A new ZAP version, a CLI feature to do quick reconnaissance, and more!
Posted Tuesday October 31, 2023
314 Words
Allows mapping of responses to content of chosen local file.
Posted Wednesday October 18, 2023
231 Words
Want to find out as much info about a URL as possible really quickly? Then ZAPit!
Posted Thursday October 12, 2023
633 Words
ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…
Posted Monday October 2, 2023
965 Words
Both of our GSoC students completed their projects, and we started a new video series.
Posted Monday September 25, 2023
409 Words
Import Postman collections with the new Postman add-on for ZAP.
Posted Friday September 15, 2023
101 Words
We have just started a new series of videos called ZAP Chat which focus on ZAP features, new and old.
Posted Monday September 11, 2023
1374 Words
ZAP has introduced a new feature to record pre-task activities such as logging in etc. using Browser Recorder.
Posted Friday September 8, 2023
1276 Words
ZAP Spider can now probe and parse macOS’ .DS_Store files.
Posted Friday September 1, 2023
940 Words
August 2023 was a big change for us!
Posted Tuesday August 29, 2023
314 Words
We want your input on what we should focus on as part of ZAP development.
Posted Friday August 25, 2023
120 Words
News about a community area to contribute ZAP usage tips and tricks.
Posted Monday August 21, 2023
103 Words
You can now install ZAP via winget - the Windows Package Manager
Posted Tuesday August 1, 2023
675 Words
I’m delighted to announce that ZAP is joining the new Software Security Project (SSP) as one of the founding projects. This does however mean we are leaving OWASP.
Posted Wednesday July 12, 2023
547 Words
ZAP 2.13.0 has just been released, and adds support for HTTP/2, improved authentication handling and Mac Silicon.
Posted Wednesday July 5, 2023
894 Words
June 2023 updates and ongoing feature development statuses.
Posted Tuesday June 13, 2023
146 Words
ZAP Docker images are now also published to the GitHub Container Registry.
Posted Thursday June 1, 2023
1222 Words
May 2023 updates and ongoing feature development statuses.
Posted Tuesday May 23, 2023
428 Words
There is now a really easy way to check if ZAP can handle your app’s authentication.
Posted Wednesday May 3, 2023
1034 Words
April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!
Posted Tuesday May 2, 2023
1342 Words
ZAP can now automatically detect and configure itself to handle common authentication mechanisms.
Posted Monday April 3, 2023
1155 Words
March 2023 updates and ongoing feature development statuses.
Posted Thursday March 9, 2023
349 Words
We would love to be able to make ZAP even better for you - your feedback on how that could be funded would be appreciated!
Posted Thursday February 2, 2023
616 Words
The January 2023 updates including authentication improvements and future plans.
Posted Wednesday February 1, 2023
1415 Words
How to configure ZAP to handle complex authentication using Selenium.
Posted Thursday January 19, 2023
977 Words
Handling authentication in automation is hard, but help is on its way.
Posted Tuesday January 3, 2023
565 Words
A summary of everything ZAP related that happened in 2022.
Posted Saturday December 24, 2022
598 Words
A reply to an excellent blog series from Secure Ideas: Twelve Days of ZAPmas - ZAP impressions from a Burp user.
Posted Thursday December 1, 2022
900 Words
The November 2022 updates, following the 2.12.0 release.
Posted Thursday November 3, 2022
679 Words
See the data behind the most popular active scan rules every month
Posted Thursday October 27, 2022
717 Words
ZAP 2.12.0 has just been released, and as the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the Ten Thousand Star Release
Posted Saturday October 1, 2022
200 Words
ZAP is participating in Hacktoberfest 2022.
Posted Friday September 30, 2022
1716 Words
The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!
Posted Wednesday September 14, 2022
112 Words
Simon’s work on ZAP is now sponsored by Jit.
Posted Tuesday September 13, 2022
658 Words
An overview of ZAP Extender scripts with examples. Use ZAP as a web server, subscribe to internal ZAP events, and more!
Posted Wednesday August 31, 2022
1027 Words
All of the things that have been happening related to ZAP in August 2022.
Posted Monday August 22, 2022
705 Words
The parameter discovery add-on for ZAP.
Posted Friday June 17, 2022
224 Words
Has ZAP helped you? Now it is your turn to help ZAP.
Posted Tuesday May 10, 2022
196 Words
An add-on aimed squarely at the pentesters.
Posted Thursday April 14, 2022
618 Words
How to solve the PortSwigger Lab: Username enumeration via account lock using ZAP scripts.
Posted Wednesday April 6, 2022
369 Words
How to solve the PortSwigger Lab: 2FA Broken Logic using ZAP.
Posted Monday April 4, 2022
163 Words
How to detect Spring4Shell with the new Spring4Shell Alpha Active Scan Rule.
Posted Tuesday March 29, 2022
400 Words
How to solve the PortSwigger Lab: Password Brute-force via Password Change using ZAP.
Posted Tuesday March 22, 2022
444 Words
StackHawk has launched a $100,000 ZAP Fund dedicated to improving ZAP and the ZAP Community.
Posted Wednesday February 16, 2022
236 Words
I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.
Posted Thursday February 10, 2022
427 Words
The ZAP Weekly and Live releases have an all new networking layer.
Posted Friday December 17, 2021
205 Words
ZAPCon is returning for its second year! The second annual ZAP user conference will take place on March 8, 2022 and the Call for Papers is open!.
Posted Tuesday December 14, 2021
1081 Words
A walkthrough of using the new Log4Shell Alpha Active Scan rule with the ZAP Automation Framework.
Posted Friday December 10, 2021
300 Words
ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.
Posted Wednesday December 1, 2021
1560 Words
Eval Villain was recently added to the ZAP Marketplace. This add-on installs the Eval Villain web extension in Firefox and allows the inspection of arguments to arbitrary native JavaScript functions.
Posted Friday November 26, 2021
381 Words
You can now launch your favourite browsers from ZAP with your favourite extensions.
Posted Wednesday November 24, 2021
86 Words
ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.
Posted Monday October 25, 2021
591 Words
We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.
Posted Thursday October 7, 2021
490 Words
ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.
Major changes include:
Alert Tags Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.
All of the active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017.
Posted Monday August 23, 2021
897 Words
An overview of the features of the OAST add-on for OWASP ZAP. This add-on allows you to discover out-of-band vulnerabilities like SSRF.
Posted Monday August 23, 2021
788 Words
An overview of the features of the Retest add-on for OWASP ZAP. This add-on allows you to retest for previously generated alerts.
Posted Friday August 20, 2021
610 Words
Overview File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.
Posted Monday April 19, 2021
1841 Words
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.
Posted Monday March 29, 2021
939 Words
Do you know what interesting bits were added to ZAP 2.10.0? Don’t read release notes? This blog post is for you! Dark mode, Expand/Collapse top panes, Custom pages, Scriptable encode/decode/hash, Authentication polling, Auth header via ENV vars, Site tree control, and more.
Posted Friday March 12, 2021
1068 Words
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.
Posted Thursday March 4, 2021
426 Words
Posted Wednesday February 10, 2021
1606 Words
Write scripts in ZAP which will check a target application’s compliance against ASVS controls.
Posted Wednesday February 3, 2021
541 Words
You can access the ZAP Desktop even when it is running in Docker, and that means you do not have to install Java if you do not want to.
Posted Thursday January 28, 2021
185 Words
Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!
Posted Monday December 21, 2020
618 Words
ZAP 2.10.0 has just been released so we’re treating this as a belated 10 year anniversary release!
Posted Tuesday September 22, 2020
1169 Words
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.
Posted Monday September 14, 2020
282 Words
How to give some colours to ZAP’s History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.
Posted Sunday September 6, 2020
490 Words
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.
Posted Thursday September 3, 2020
423 Words
With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.
Posted Friday August 28, 2020
889 Words
GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap.
The add-on is still in an early stage, so the range of its functionality is limited.
Posted Thursday June 4, 2020
953 Words
Do you know what interesting bits were added to ZAP 2.9.0? Don’t read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.
Posted Friday May 15, 2020
598 Words
ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application.
Posted Monday May 11, 2020
381 Words
Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises?
Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.
Posted Thursday April 9, 2020
741 Words
With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.
Posted Thursday April 2, 2020
394 Words
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)
However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?
Posted Monday March 9, 2020
604 Words
Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint.
Posted Wednesday March 4, 2020
110 Words
We release ZAP every week: https://www.zaproxy.org/download/#weekly
We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:
It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:
Posted Monday March 2, 2020
173 Words
OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/
Because we now have a new website we’ve decided to move our blog from https://zaproxy.
Posted Friday June 3, 2016
362 Words
ZAP 2.5.0 is now available.
This release contains a large number of enhancements and fixes which are detailed in the release notes.
API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
Posted Wednesday September 3, 2014
325 Words
Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner add-on for ZAP, in which I worked during all the Program. Let me explain you the features it includes.
Posted Monday December 10, 2012
793 Words
We are getting close to releasing the next major version of ZAP.
As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).
This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.
Posted Monday October 22, 2012
485 Words
I’ve been struggling with the question of ZAP releases.
We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.