blog

Sites Tree Modifiers

Posted 1169 Words
The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.

ZAP Tags

Posted 282 Words
How to give some colours to ZAP's History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.

ZAP is Ten Years Old

Posted 490 Words
On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.

ZAP JWT Support Add-on

Posted 423 Words
With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.

Introducing the GraphQL Add-on for ZAP

Posted 888 Words
GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap. The add-on is still in an early stage, so the range of its functionality is limited.

ZAP 2.9 Highlights

Posted 953 Words
Do you know what interesting bits were added to ZAP 2.9.0? Don't read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.

Dynamic Application Security Testing with ZAP and GitHub Actions

Posted 598 Words
ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application.

Customize Alert Details

Posted 381 Words
Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises? Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.

Automate Security Testing with ZAP and GitHub Actions

Posted 741 Words
With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.

Is ZAP the World’s most Popular Web Scanner?

Posted 394 Words
I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :) However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?

ZAP SSRF Setup

Posted 604 Words
Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint.

Dark Mode in the Weekly Release

Posted 110 Words
We release ZAP every week: https://www.zaproxy.org/download/#weekly We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI: It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:

The ZAP Blog has Moved

Posted 173 Words
OK, OK, it's been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we've published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/