ZAP (software)

ZAP (Zed Attack Proxy) is a dynamic application security testing tool published under the Apache License. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including HTTPS encrypted traffic. It can also run in a daemon mode which is then controlled via a REST-based API.

ZAP by Checkmarx

Logo including Checkmarx, since 2024
Stable release	2.16.1 / 7 May 2024; 12 months ago (2024-05-07)
Repository	github.com/zaproxy/zaproxy
Written in	Java
Operating system	Linux, Windows, macOS
Available in	25[1] languages
Type	Dynamic application security testing
License	Apache Licence
Website	www.zaproxy.org

History

ZAP was originally forked from Paros which was developed by Chinotec Technologies Company.^[2] Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP's source code was still from Paros.^[3]

The first release was announced on Bugtraq in September 2010, and became an OWASP project a few months later.^[4][5] In 2023, ZAP developers moved to the Linux Foundation, where they became a part of the Software Security Project.^[6][7][8] As of September 24, 2024, all of the main developers joined Checkmarx as employees and ZAP was rebranded as ZAP by Checkmarx.^[9]

ZAP was listed in the 2015 InfoWorld Bossie award for The best open source networking and security software.^[10]

Features

Some of the built in features include:

• An intercepting proxy server,
• Traditional and AJAX Web crawlers
• An automated scanner
• A passive scanner
• Forced browsing
• A fuzzer
• WebSocket support
• Scripting languages
• Plug-n-Hack support

See also

• Free and open-source software portal

• Web application security
• Burp suite
• W3af
• Fiddler (software)

Further reading

• Soper, Ryan; N Torres, Nestor; Almoailu, Ahmed (10 March 2023). Zed Attack Proxy Cookbook. Packt Publishing. ISBN 9781801810159.