Posted Thursday October 7, 2021
ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.
Major changes include:
Alert Tags Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.
All of the active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017.
Posted Monday August 23, 2021
An overview of the features of the OAST add-on for OWASP ZAP. This add-on allows you to discover out-of-band vulnerabilities like SSRF.
Posted Monday August 23, 2021
An overview of the features of the Retest add-on for OWASP ZAP. This add-on allows you to retest for previously generated alerts.
Posted Friday August 20, 2021
Overview File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.
Posted Monday April 19, 2021
This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.
Posted Monday March 29, 2021
Do you know what interesting bits were added to ZAP 2.10.0? Don't read release notes? This blog post is for you! Dark mode, Expand/Collapse top panes, Custom pages, Scriptable encode/decode/hash, Authentication polling, Auth header via ENV vars, Site tree control, and more.
Posted Friday March 12, 2021
Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.
Posted Thursday March 4, 2021
Posted Wednesday February 10, 2021
Write scripts in ZAP which will check a target application's compliance against ASVS controls.
Posted Wednesday February 3, 2021
You can access the ZAP Desktop even when it is running in Docker, and that means you do not have to install Java if you do not want to.
Posted Thursday January 28, 2021
Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!
Posted Monday December 21, 2020
ZAP 2.10.0 has just been released so we're treating this as a belated 10 year anniversary release!
Posted Tuesday September 22, 2020
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.
Posted Monday September 14, 2020
How to give some colours to ZAP's History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.
Posted Sunday September 6, 2020
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.
Posted Thursday September 3, 2020
With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.
Posted Friday August 28, 2020
GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap.
The add-on is still in an early stage, so the range of its functionality is limited.
Posted Thursday June 4, 2020
Do you know what interesting bits were added to ZAP 2.9.0? Don't read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.
Posted Friday May 15, 2020
ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application.
Posted Monday May 11, 2020
Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises?
Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.
Posted Thursday April 9, 2020
With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.
Posted Thursday April 2, 2020
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)
However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?
Posted Monday March 9, 2020
Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint.
Posted Wednesday March 4, 2020
We release ZAP every week: https://www.zaproxy.org/download/#weekly
We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:
It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:
Posted Monday March 2, 2020
OK, OK, it's been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we've published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/
Posted Friday June 3, 2016
ZAP 2.5.0 is now available.
This release contains a large number of enhancements and fixes which are detailed in the release notes.
API changes There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
Posted Wednesday September 3, 2014
Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner add-on for ZAP, in which I worked during all the Program. Let me explain you the features it includes.
Posted Monday December 10, 2012
We are getting close to releasing the next major version of ZAP.
As there are so many changes we've decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).
This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.
Posted Monday October 22, 2012
I've been struggling with the question of ZAP releases.
We've made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.