The ZAP Blog on ZAP

Scanning MCP Servers with ZAP

Thu, 21 May 2026 00:00:00 +0000

ZAP can now scan MCP (Model Context Protocol) servers as a first-class target. Import an MCP server from the ZAP desktop or the Automation Framework, or run the new action-mcp-scan GitHub Action to scan one from CI.

Automating OWASP PTK with ZAP (Phase 1)

Wed, 06 May 2026 00:00:00 +0000

ZAP’s Automation Framework can now drive OWASP PTK scans using the Client Spider. This is an early release - we want you to try it and give us feedback while we work toward deeper integration with ZAP’s active and passive scan engines.

ZAP Updates - April 2026

Fri, 01 May 2026 00:00:00 +0000

ZAP was started nearly 10 million times in April, and the main zaproxy repo hit 15,000 GitHub stars. Read on for blog post summaries and the full add-on changelog.

Vibe Coding Security Fixes

Wed, 15 Apr 2026 00:00:00 +0000

ZAP now has a “Generate Fix Prompt” option that copies everything an LLM needs to fix a vulnerability straight to your clipboard. Also: ZAP was run 9.5 million times in March. Vibe coding, anyone?

Use ZAP with KRO in Kubernetes

Mon, 13 Apr 2026 00:00:00 +0000

Learn how to integrate ZAP with KRO in a Kubernetes cluster to scan the security of each new deployment.

ZAP Updates - March 2026

Fri, 03 Apr 2026 00:00:00 +0000

ZAP was started nearly 9.5 million times in March, published integrations with 3 other open source projects, and released the first of many AI related features.

The ZAP MCP Server

Thu, 02 Apr 2026 00:00:00 +0000

Connect AI assistants like Claude and ChatGPT to ZAP via the Model Context Protocol. Start scans, read alerts, and explore your application—all through natural conversation.

OWASP PTK Findings as ZAP Alerts (Juice Shop Walkthrough)

Wed, 01 Apr 2026 00:00:00 +0000

OWASP PTK 9.8.0 and the ZAP OWASP PTK add-on 0.3.0 now let ZAP display OWASP PTK findings directly as ZAP Alerts. This post shows how to install the add-on, choose which PTK rules to run (SAST / IAST / DAST), optionally auto-start scans on browser launch, and then scan OWASP Juice Shop with all results visible in ZAP.

Guided ZAP Scans: Faster CI/CD Feedback Using Static Analysis

Fri, 27 Mar 2026 00:00:00 +0000

This post describes an approach that uses static analysis findings to guide ZAP’s active scans toward the most relevant endpoints. The result is a faster scanning mode suited for CI/CD pipelines, built on top of ZAP’s Automation Framework.

Introducing DeepViolet

Thu, 19 Mar 2026 00:00:00 +0000

Introducing DeepViolet: The Engine Behind ZAP’s New TLS Analysis

ZAP Updates - February 2026

Mon, 02 Mar 2026 00:00:00 +0000

February was another busy month for the ZAP project, with improvements across browser automation, GraphQL and the Encode/Decode/Hash add-on.

Custom Browsers and Preferences

Tue, 24 Feb 2026 00:00:00 +0000

You can now add custom browsers to ZAP and manage any browser preferences.

Using ZAP's Encode/Decode/Hash Add-on with CyberChef via Encode/Decode Scripts

Tue, 17 Feb 2026 00:00:00 +0000

Combine the Encode/Decode/Hash add-on with CyberChef operations in ZAP Encode/Decode Scripts for flexible encoding, decoding, and hashing in your testing workflow.

Detecting Circular Type References in GraphQL Schemas

Fri, 06 Feb 2026 00:00:00 +0000

ZAP can now detect cycles in GraphQL schemas that could lead to denial of service attacks.

ZAP Updates - 2025 Highlights and Plans for 2026

Mon, 02 Feb 2026 00:00:00 +0000

Highlights of 2025 and our initial plans for 2026, including more 3rd Party tool integrations, enhanced exploring and, yes, AI integration!

OWASP PTK Integration with ZAP

Mon, 19 Jan 2026 00:00:00 +0000

OWASP PTK is now pre-installed in the browsers launched by ZAP (Chrome, Edge and Firefox). This post shows how to run PTK’s DAST, IAST, SAST, and SCA inside the same authenticated session you’re testing, plus practical JWT and cookie workflows—while ZAP remains your traffic and context hub.

ZAP 2.17.0

Mon, 15 Dec 2025 00:00:00 +0000

ZAP 2.17.0 has just been released. The release includes core performance improvements and will significantly reduce the number of “duplicate” alerts reported.

React2Shell Detection with ZAP

Fri, 05 Dec 2025 00:00:00 +0000

React2Shell is the latest big “named” vulnerability - heres how you can detect it with ZAP.

ZAP Updates - November 2025

Wed, 03 Dec 2025 00:00:00 +0000

2.17.0 is coming soon, along with Insights and fixes for some issues that caused ZAP to log 50 million errors in one day!

Enhancing ZAP with AI for Bug Bounty Hunting

Fri, 28 Nov 2025 00:00:00 +0000

Building an intelligent security testing system that leverages ZAP’s automation capabilities and machine learning to improve vulnerability detection

50 Million Errors in One Day?!

Tue, 25 Nov 2025 00:00:00 +0000

ZAP logged a LOT of errors yesterday - heres why, and what we have already done to address the underlying problems

ZAP Updates - October 2025

Thu, 06 Nov 2025 00:00:00 +0000

Systemic alerts, check for updates bug, auth improvements, project pulse, etc See what the ZAP team has been up to.

SHH! ZAP Was Not So Silent

Tue, 21 Oct 2025 00:00:00 +0000

A new ZAP scan rule unintentionally caused a Check for Updates call even when “silent” mode was used.

Solving Caido Labs

Wed, 15 Oct 2025 00:00:00 +0000

In this blog we show how to solve Caido labs using ZAP.

ZAP Updates - September 2025

Wed, 01 Oct 2025 00:00:00 +0000

Configuring scan policies with alert tags, WAVSEP adoption, alert de-duplication and a new add-on publishing guide.

Alert De-Duplication

Tue, 30 Sep 2025 00:00:00 +0000

How and why we will be reporting fewer “duplicate” alerts in ZAP.

ZAP is Adopting WAVSEP

Mon, 08 Sep 2025 00:00:00 +0000

The ZAP team has forked and will maintain WAVSEP going forwards. This blog post explains why.

Configuring Scan Policies with Alert Tags

Wed, 03 Sep 2025 00:00:00 +0000

A new feature in ZAP’s automation framework allows you to configure scan policies using alert tags, making it easier to target specific types of vulnerabilities without manually managing individual scan rules.

ZAP Updates - August 2025

Tue, 02 Sep 2025 00:00:00 +0000

Microsoft Online Login Support, forking wavsep and much, much more!

ZAP Updates - July 2025

Fri, 01 Aug 2025 00:00:00 +0000

Authentication improvements, Edge support, timing rule changes, Docker news, and a new scan rule.

The New 'ZAP is Out of Date' Rule

Fri, 25 Jul 2025 00:00:00 +0000

If you are using an old version of ZAP then you might start seeing a new alert…

Timing Related Scan Rule Changes

Tue, 22 Jul 2025 00:00:00 +0000

Scan rules related to time based attacks have been split or renamed.

Edge Support

Thu, 10 Jul 2025 00:00:00 +0000

ZAP now has “tier 1” support for Microsoft Edge, including exploring, crawling, and attacking.

Authentication Improvements

Thu, 03 Jul 2025 00:00:00 +0000

We’ve made a lot of improvements in ZAP’s handling of authentication - here’s a summary of the most significant changes we’ve made.

ZAP Updates - June 2025

Tue, 01 Jul 2025 00:00:00 +0000

A new Intro video, lots of authentication work, and more news on the ZAP browser extensions.

ZAP Updates - April 2025

Mon, 05 May 2025 00:00:00 +0000

April 2025 updates and ongoing feature development statuses.

ZAP Wins Inaugural DefectDojo Award for Open-Source Cybersecurity

Tue, 22 Apr 2025 00:00:00 +0000

ZAP was recognised as being one of the best dynamic application security testing (DAST) Tools.

PortSwigger Labs: Broken Brute-Force Protection, IP Block

Wed, 09 Apr 2025 00:00:00 +0000

Walkthrough for the PortSwigger lab, “Broken brute-force protection, IP block”.

ZAP Updates - March 2025

Wed, 02 Apr 2025 00:00:00 +0000

We released 2.16.1 and made more authentication handling improvements.

ZAP 2.16.1

Tue, 25 Mar 2025 00:00:00 +0000

ZAP 2.16.1 has just been released. This is a bug fix release, along with some minor enhancements

ZAP Updates - February 2025

Mon, 03 Mar 2025 00:00:00 +0000

Authentication, authentication, authentication… And there will be a 2.16.1 release “soon”.

Solving Portswigger Lab File Path Traversal Simple Case with ZAP

Thu, 27 Feb 2025 00:00:00 +0000

Video and explanation of How to Solve the Portswigger labs using ZAP, in this case: ‘Path Traversal Simple Case’

ZAP Updates - January 2025

Tue, 04 Feb 2025 00:00:00 +0000

Starting 2025 with a full release, a new way to crawl modern web apps, and better authentication capabilities.

The Client Spider

Fri, 31 Jan 2025 00:00:00 +0000

We introduced a new Client Spider in ZAP 2.16.0, this blog post and video explain why we did that, how it works, and where it’s going

ZAP 2.16.0

Fri, 10 Jan 2025 00:00:00 +0000

ZAP 2.16.0 has just been released. It includes a brand new spider, detachable tabs, policy definitions, and lots more…

Use ZAP with Flagger in Kubernetes

Tue, 24 Dec 2024 00:00:00 +0000

Learn how to integrate ZAP with Flagger in a Kubernetes cluster to scan the security of each new deployment.

ZAP Updates - November 2024

Mon, 02 Dec 2024 00:00:00 +0000

A brand new Scan Policies add-on, how to integrate ZAP with OWASP Noir and ZAP 2.16.0 is getting very close..

Powering Up DAST with ZAP and Noir

Mon, 11 Nov 2024 00:00:00 +0000

Integrating Noir, a tool for discovering hidden endpoints in source code, with ZAP enhances dynamic application security testing (DAST).

ZAP Updates - October 2024

Fri, 01 Nov 2024 00:00:00 +0000

ZAP Updates are back after a small break. Read about the updates from October, including an upgrade to Java 17, scanning of sequenced requests, a potential LLM integration, and more.

Improving Fuzzing Payloads for LLMs with FuzzAI

Mon, 30 Sep 2024 00:00:00 +0000

Improving Fuzzing Payloads for LLMs with FuzzAI, and a call for community feedback.

ZAP Has Joined Forces With Checkmarx

Tue, 24 Sep 2024 00:00:00 +0000

This is a huge investment (and vote of confidence) in ZAP and will secure the project’s future success.

ZAP Scripts are now Full Scan Rules!

Wed, 17 Jul 2024 00:00:00 +0000

ZAP scripts can now do everything that scan rules can.

Polyfill.io Script Detection

Thu, 27 Jun 2024 00:00:00 +0000

A new scan rule which allows you to find out which of your sites are loading scripts from polyfill.io really quickly.

Should ZAP Switch to a Non-OSI Approved Licence?

Fri, 07 Jun 2024 00:00:00 +0000

Yes, we are still struggling to find a way to make ZAP development sustainable.

ZAP Updates - May 2024

Mon, 03 Jun 2024 00:00:00 +0000

It was another “full release” month, with 2.15.0 and a brand new add-on for gRPC support.

Introducing the gRPC Add-on

Tue, 21 May 2024 00:00:00 +0000

Introducing a new add-on for viewing and attacking gRPC endpoints.

ZAP 2.15.0

Tue, 07 May 2024 00:00:00 +0000

ZAP 2.15.0 has just been released, and adds support for scripts as first class scan rules, restructured desktop menu items, and more…

ZAP Updates - April 2024

Wed, 01 May 2024 00:00:00 +0000

ZAP professional services, a new Docker Hub org, a new GitHub Action and 2.15.0 is coming soon.

ZAP Professional Services!

Mon, 08 Apr 2024 00:00:00 +0000

ZAP Professional Services are now available, delivered by key members of the ZAP Core Team. Money raised from these services will help fund ZAP development.

ZAP Updates - March 2024

Tue, 02 Apr 2024 00:00:00 +0000

ZAP funding, the Open Source Fellowship, ZAProxy Ltd, script scan rules as first class scan rules.

Support Changes

Mon, 18 Mar 2024 00:00:00 +0000

Changes that we are having to put in place regarding ZAP support.

ZAP Funding and the Open Source Fellowship

Wed, 13 Mar 2024 00:00:00 +0000

ZAP is now supported by the Crash Override Open Source Fellowship!

Unveiling the ZAP User Personas

Mon, 11 Mar 2024 00:00:00 +0000

Unveiling the ZAP User Personas - Insights from Our Community

ZAP Updates - February 2024

Mon, 04 Mar 2024 00:00:00 +0000

Restructured desktop menus, OWASP Docker Hub depreciation, Funding, and GSoC.

ZAP Professional Services?

Mon, 19 Feb 2024 00:00:00 +0000

Would you be interested in ZAP based professional services? If so please get in touch.

ZAP Updates - January 2024

Fri, 02 Feb 2024 00:00:00 +0000

ZAP funding investigations, a CLA and Google Summer of Code.

Signing Requests using RSA Keys

Mon, 29 Jan 2024 00:00:00 +0000

A new script in the community-scripts repository enables the signing of outgoing requests with RSA keys, addressing the challenge of testing applications that require this functionality.

ZAP Contributor License Agreement

Tue, 23 Jan 2024 00:00:00 +0000

We are introducing a Contributor License Agreement to cover all ZAP contributions.

2023 in Review

Wed, 03 Jan 2024 00:00:00 +0000

A summary of everything ZAP related that happened in 2023.

Discovering Our Users - The ZAP User Personas Questionnaire

Thu, 21 Dec 2023 00:00:00 +0000

Join our journey to tailor ZAP for every user, by sharing your unique insights and experiences. Your perspective is the key to unlocking ZAP’s full potential for everyone in the cybersecurity community.

Automated ZAP Scans for Orchard Core Apps

Fri, 08 Dec 2023 00:00:00 +0000

If you have an app running on the ASP.NET Core web framework and CMS Orchard Core, you can now easily run ZAP scans for it.

ZAP Development Focus Questionnaire Results

Mon, 04 Dec 2023 00:00:00 +0000

The questionnaire results, and what we’re doing about the things you care about most.

ZAP Updates - November 2023

Fri, 01 Dec 2023 00:00:00 +0000

Improved modern web app handling and lots of videos.

ZAP Technology Support

Mon, 20 Nov 2023 00:00:00 +0000

How you can tell ZAP which technology your target uses, and why it can be a really good idea.

Handling Modern Web Apps Better - Part 1

Fri, 03 Nov 2023 00:00:00 +0000

Introducing a new add-on which allows ZAP (and you) to see what is going on in the browser.

ZAP Updates - October 2023

Thu, 02 Nov 2023 00:00:00 +0000

A new ZAP version, a CLI feature to do quick reconnaissance, and more!

Map Local Add-on

Tue, 31 Oct 2023 00:00:00 +0000

Allows mapping of responses to content of chosen local file.

ZAPit

Wed, 18 Oct 2023 00:00:00 +0000

Want to find out as much info about a URL as possible really quickly? Then ZAPit!

ZAP 2.14.0

Thu, 12 Oct 2023 00:00:00 +0000

ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…

ZAP Updates - September 2023

Mon, 02 Oct 2023 00:00:00 +0000

Both of our GSoC students completed their projects, and we started a new video series.

Postman Add-on

Mon, 25 Sep 2023 00:00:00 +0000

Import Postman collections with the new Postman add-on for ZAP.

ZAP Chat Video Series

Fri, 15 Sep 2023 00:00:00 +0000

We have just started a new series of videos called ZAP Chat which focus on ZAP features, new and old.

GSoC 2023 Browser Recorder

Mon, 11 Sep 2023 00:00:00 +0000

ZAP has introduced a new feature to record pre-task activities such as logging in etc. using Browser Recorder.

Parsing .DS_Store files with ZAP

Fri, 08 Sep 2023 00:00:00 +0000

ZAP Spider can now probe and parse macOS’ .DS_Store files.

ZAP Updates - August 2023

Fri, 01 Sep 2023 00:00:00 +0000

August 2023 was a big change for us!

What Should We Focus On?

Tue, 29 Aug 2023 00:00:00 +0000

We want your input on what we should focus on as part of ZAP development.

Community - Tips and Tricks

Fri, 25 Aug 2023 00:00:00 +0000

News about a community area to contribute ZAP usage tips and tricks.

ZAP is Available via Winget

Mon, 21 Aug 2023 00:00:00 +0000

You can now install ZAP via winget - the Windows Package Manager

ZAP is Joining the Software Security Project

Tue, 01 Aug 2023 00:00:00 +0000

I’m delighted to announce that ZAP is joining the new Software Security Project (SSP) as one of the founding projects. This does however mean we are leaving OWASP.

ZAP 2.13.0

Wed, 12 Jul 2023 00:00:00 +0000

ZAP 2.13.0 has just been released, and adds support for HTTP/2, improved authentication handling and Mac Silicon.

ZAP Updates - June 2023

Wed, 05 Jul 2023 00:00:00 +0000

June 2023 updates and ongoing feature development statuses.

ZAP Docker Images in GitHub Container Registry

Tue, 13 Jun 2023 00:00:00 +0000

ZAP Docker images are now also published to the GitHub Container Registry.

ZAP Updates - May 2023

Thu, 01 Jun 2023 00:00:00 +0000

May 2023 updates and ongoing feature development statuses.

Authentication Tester Dialog

Tue, 23 May 2023 00:00:00 +0000

There is now a really easy way to check if ZAP can handle your app’s authentication.

ZAP Updates - April 2023

Wed, 03 May 2023 00:00:00 +0000

April 2023 updates - the ZAP 2.13.0 Release Candidate is available now!

Authentication Auto-Detection

Tue, 02 May 2023 00:00:00 +0000

ZAP can now automatically detect and configure itself to handle common authentication mechanisms.

ZAP Updates - March 2023

Mon, 03 Apr 2023 00:00:00 +0000

March 2023 updates and ongoing feature development statuses.

How Should We Fund ZAP Development?

Thu, 09 Mar 2023 00:00:00 +0000

We would love to be able to make ZAP even better for you - your feedback on how that could be funded would be appreciated!

ZAP Updates 2023 January

Thu, 02 Feb 2023 00:00:00 +0000

The January 2023 updates including authentication improvements and future plans.

Authenticating Using Selenium

Wed, 01 Feb 2023 00:00:00 +0000

How to configure ZAP to handle complex authentication using Selenium.

Authentication Help

Thu, 19 Jan 2023 00:00:00 +0000

Handling authentication in automation is hard, but help is on its way.

2022 in Review

Tue, 03 Jan 2023 00:00:00 +0000

A summary of everything ZAP related that happened in 2022.

The Twelve Days of ZAPmas

Sat, 24 Dec 2022 00:00:00 +0000

A reply to an excellent blog series from Secure Ideas: Twelve Days of ZAPmas - ZAP impressions from a Burp user.

ZAP Updates 2022 November

Thu, 01 Dec 2022 00:00:00 +0000

The November 2022 updates, following the 2.12.0 release.

Monthly Active Scan Rule Statistics

Thu, 03 Nov 2022 00:00:00 +0000

See the data behind the most popular active scan rules every month

ZAP 2.12.0 - the Ten Thousand Star Release

Thu, 27 Oct 2022 00:00:00 +0000

ZAP 2.12.0 has just been released, and as the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the Ten Thousand Star Release

ZAP and Hacktoberfest 2022

Sat, 01 Oct 2022 00:00:00 +0000

ZAP is participating in Hacktoberfest 2022.

ZAP Updates 2022 September

Fri, 30 Sep 2022 00:00:00 +0000

The September 2022 updates, including our new Platinum Supporter - Jit, GSoC 2022 success, more news on the forthcoming 2.12.0 release, and no less than 31 add-on updates!

New Platinum Supporter: Jit

Wed, 14 Sep 2022 00:00:00 +0000

Simon’s work on ZAP is now sponsored by Jit.

Hacking ZAP - ZAP Extender Scripts

Tue, 13 Sep 2022 00:00:00 +0000

An overview of ZAP Extender scripts with examples. Use ZAP as a web server, subscribe to internal ZAP events, and more!

ZAP Updates 2022 August

Wed, 31 Aug 2022 00:00:00 +0000

All of the things that have been happening related to ZAP in August 2022.

Spider News

Tue, 30 Aug 2022 00:00:00 +0000

News about changes to the Traditional Spider for the up-coming release.

Running ZAP on a raspberry pi

Thu, 25 Aug 2022 00:00:00 +0000

Setting up ZAP on the raspberry pi.

The Param Digger Add-on GSOC 2022

Mon, 22 Aug 2022 00:00:00 +0000

The parameter discovery add-on for ZAP.

Help Needed: Fund ZAP Development

Fri, 17 Jun 2022 00:00:00 +0000

Has ZAP helped you? Now it is your turn to help ZAP.

The Requester Add-on

Tue, 10 May 2022 00:00:00 +0000

An add-on aimed squarely at the pentesters.

PortSwigger Labs: Username Enumeration with ZAP Scripts

Thu, 14 Apr 2022 00:00:00 +0000

How to solve the PortSwigger Lab: Username enumeration via account lock using ZAP scripts.

PortSwigger Labs: 2FA Broken Logic

Wed, 06 Apr 2022 00:00:00 +0000

How to solve the PortSwigger Lab: 2FA Broken Logic using ZAP.

Spring4Shell Detection with ZAP

Mon, 04 Apr 2022 00:00:00 +0000

How to detect Spring4Shell with the new Spring4Shell Alpha Active Scan Rule.

PortSwigger Labs: Password Brute-force via Password Change with ZAP

Tue, 29 Mar 2022 00:00:00 +0000

How to solve the PortSwigger Lab: Password Brute-force via Password Change using ZAP.

ZAPCon 2022 Schedule is Now Live

Wed, 16 Feb 2022 00:00:00 +0000

I am excited to share that we’ve just released the speaker lineup and schedule for the ZAPCon 2022! ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.

New ZAP Networking Layer

Thu, 10 Feb 2022 00:00:00 +0000

The ZAP Weekly and Live releases have an all new networking layer.

ZAPCon 2022 Call - for Papers

Fri, 17 Dec 2021 00:00:00 +0000

ZAPCon is returning for its second year! The second annual ZAP user conference will take place on March 8, 2022 and the Call for Papers is open!.

Log4Shell Detection with ZAP

Tue, 14 Dec 2021 00:00:00 +0000

A walkthrough of using the new Log4Shell Alpha Active Scan rule with the ZAP Automation Framework.

ZAP and Log4Shell

Fri, 10 Dec 2021 00:00:00 +0000

ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP.

The Eval Villain Add-on

Wed, 01 Dec 2021 00:00:00 +0000

Eval Villain was recently added to the ZAP Marketplace. This add-on installs the Eval Villain web extension in Firefox and allows the inspection of arguments to arbitrary native JavaScript functions.

Launching Browsers with Extensions

Fri, 26 Nov 2021 00:00:00 +0000

You can now launch your favourite browsers from ZAP with your favourite extensions.

OWASP Outstanding Project 2021

Wed, 24 Nov 2021 00:00:00 +0000

ZAP has been awarded the 2021 Waspy Award for Outstanding Project, as selected by OWASP Members.

ZAP Telemetry Plans

Mon, 25 Oct 2021 00:00:00 +0000

We are planning to add telemetry to ZAP - data that will tell us more about how ZAP is being used. This blog post explains why we are planning on doing this, what data we plan to collect, what data we will definitely not collect, the benefits you can expect, and how you will be able to opt out of it.

ZAP 2.11.0

Thu, 07 Oct 2021 00:00:00 +0000

ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.

Major changes include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.

Out-of-band Application Security Testing with OWASP ZAP

Mon, 23 Aug 2021 00:00:00 +0000

An overview of the features of the OAST add-on for OWASP ZAP. This add-on allows you to discover out-of-band vulnerabilities like SSRF.

Retesting alerts with OWASP ZAP

Mon, 23 Aug 2021 00:00:00 +0000

An overview of the features of the Retest add-on for OWASP ZAP. This add-on allows you to retest for previously generated alerts.

ZAP FileUpload Add-on

Fri, 20 Aug 2021 00:00:00 +0000

Overview

File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe. Generally file upload functionality is quite complex to automate and has huge attack surface hence there is a need to automate the process and also secure it. So the FileUpload add-on has scan rule which is used to find vulnerabilities in file upload functionality and this blog explains on how to use it.

Community Questionnaire Results

Tue, 29 Jun 2021 00:00:00 +0000

The results of the Community Questionnaire which we ran during the first half of 2021.

Baseline Scan Changes

Tue, 15 Jun 2021 00:00:00 +0000

Important information for anyone who uses the baseline scan in the Live or Weekly Docker images.

Collecting Statistics for Open Source Projects

Mon, 19 Apr 2021 00:00:00 +0000

This blog post will show you how you can collect and publish statistics on your open source projects using free resources and open source scripts, based on the setup we have for ZAP.

ZAP 2.10 Features

Mon, 29 Mar 2021 00:00:00 +0000

Do you know what interesting bits were added to ZAP 2.10.0? Don’t read release notes? This blog post is for you! Dark mode, Expand/Collapse top panes, Custom pages, Scriptable encode/decode/hash, Authentication polling, Auth header via ENV vars, Site tree control, and more.

ZAP Report Competition

Fri, 12 Mar 2021 00:00:00 +0000

Help us add modern, useful and stylish reports to ZAP - the competition is now open until October 1st 2021.

ZAPCon 2021 is Nearly Here

Thu, 04 Mar 2021 00:00:00 +0000

The talks and speakers have been announced. See https://zapcon.io

Automate checking ASVS controls using ZAP scripts

Wed, 10 Feb 2021 00:00:00 +0000

Write scripts in ZAP which will check a target application’s compliance against ASVS controls.

Run ZAP without Java using Docker and Webswing

Wed, 03 Feb 2021 00:00:00 +0000

You can access the ZAP Desktop even when it is running in Docker, and that means you do not have to install Java if you do not want to.

1st Ever ZAPCon - Call For Papers

Thu, 28 Jan 2021 00:00:00 +0000

Today we are calling for topics and speakers in the first-ever OWASP ZAP User Conference!

ZAP 2.10.0 - The 10 Year Anniversary Release

Mon, 21 Dec 2020 00:00:00 +0000

ZAP 2.10.0 has just been released so we’re treating this as a belated 10 year anniversary release!

Sites Tree Modifiers

Tue, 22 Sep 2020 00:00:00 +0000

The Sites Tree is a key component of ZAP, and one whose purpose is often misunderstood. This blog post will explain why the Sites Tree is so important, how you can change it now and how you will be able to change it in the next ZAP release.

ZAP Tags

Mon, 14 Sep 2020 00:00:00 +0000

How to give some colours to ZAP’s History tab. An introduction to passive scanning tags, its use cases, and the Neonmarker add-on.

ZAP is Ten Years Old

Sun, 06 Sep 2020 00:00:00 +0000

On September 6th 2010 I posted this message to Bugtraq: Title - The Zed Attack Proxy (ZAP) version 1.0.0. From those very humble beginnings ZAP has now become what we believe is the world’s most frequently used web application scanner.

ZAP JWT Support Add-on

Thu, 03 Sep 2020 00:00:00 +0000

With the popularity of JSON Web Tokens (JWTs) there comes the need to secure their use so that they are not misused because of bad configuration, older libraries, or buggy implementations. So the JWT Support add-on is used to find such vulnerabilities and this blog explains on how to use it.

Introducing the GraphQL Add-on for ZAP

Fri, 28 Aug 2020 00:00:00 +0000

GraphQL Schemas can be very large and testing them can be a very time-consuming process. Currently, there is a lack of tools that allow developers to launch and automate attacks on these endpoints. The GraphQL add-on for ZAP intends to fill this gap.

The add-on is still in an early stage, so the range of its functionality is limited. However, you can combine it with existing ZAP functionality to abuse GraphQL endpoints in many different ways.

ZAP 2.9 Highlights

Thu, 04 Jun 2020 00:00:00 +0000

Do you know what interesting bits were added to ZAP 2.9.0? Don’t read release notes? This blog post is for you! Session Management Scripts, Proxy Info Display, Proxy Port Reservation Failure Handling, Options Panel(s) Filter, Active Scan Filter, and more.

Dynamic Application Security Testing with ZAP and GitHub Actions

Fri, 15 May 2020 00:00:00 +0000

ZAP full scan GitHub action provides free dynamic application security testing (DAST) of your web applications. DAST is also known as black-box testing, which allows ZAP to identify potential vulnerabilities in your web applications. We previously introduced the ZAP baseline scan GitHub action to passively identify potential alerts in a web application. However, unlike the baseline scan, ZAP full scan attacks the web application to find additional vulnerabilities.

Customize Alert Details

Mon, 11 May 2020 00:00:00 +0000

Did you know that you or your company/organization could customize the generic details of the alerts that ZAP raises?

Alerts raised by ZAP contain a variety of information, some generic, some specific to the issue at hand. Specific details may include things such as URL, parameter, values, etc. While generic details include things like a description, solution, and links to related background material and resources.

Automate Security Testing with ZAP and GitHub Actions

Thu, 09 Apr 2020 00:00:00 +0000

With the increasing number of web application security breaches, it is essential to keep your web application secure at all times. Furthermore having security integrated into your CI/CD pipeline (DevSecOps) will become a lifesaver if you are actively developing the application. To cater to this need ZAP provides a baseline scan feature to find common security faults in a web application without doing any active attacks.

Is ZAP the World’s most Popular Web Scanner?

Thu, 02 Apr 2020 00:00:00 +0000

I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)

However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?

ZAP SSRF Setup

Mon, 09 Mar 2020 00:00:00 +0000

Some vulnerabilities can only be found by sending payloads that cause a callback to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP callback endpoint. In many cases the computer running ZAP is behind some kind of NAT and doesn’t have a public IP so it will not receive the expected callbacks and miss some of the existent vulnerabilities.

Dark Mode in the Weekly Release

Wed, 04 Mar 2020 00:00:00 +0000

We release ZAP every week: https://www.zaproxy.org/download/#weekly

We’re happy to announce that this week’s release includes the first steps towards an all new dark mode for the ZAP Desktop UI:

It’s early days - not all screens use suitable colours, but it should be mostly usable. To enable it in the weekly release:

The ZAP Blog has Moved

Mon, 02 Mar 2020 00:00:00 +0000

OK, OK, it’s been a long time since the last ZAP blog post. But we certainly have not been idle - since that last blog post we’ve published 3 full ZAP releases, well over 100 weekly releases and a shiny new web site: https://zaproxy.org/

Because we now have a new website we’ve decided to move our blog from https://zaproxy.blogspot.com/ to https://zaproxy.org/blog/. As part of that move all of the old blog posts have been moved to the new site and updated to fix some of the links that had broken.

ZAP Browser Launch

Tue, 22 Aug 2017 00:00:00 +0000

We have just released a new feature for ZAP that allows you to launch browsers from within ZAP. The browsers are automatically configured to proxy via ZAP and ignore certificate warnings, making it much easier for people to get started with ZAP as well as for more experienced users who want to use ZAP with a variety of browsers. You can install and use Browser Launch right now via the ZAP Marketplace, which can be accessed via the ‘Manage Add-ons’ button in ZAP:

Scanning APIs with ZAP

Mon, 19 Jun 2017 00:00:00 +0000

The previous ZAP blog post explained how you could Explore APIs with ZAP.
This blog post goes one step further, and explains how you can both explore and perform security scanning of APIs using ZAP from the command line.
This allows you to easily automate the scanning of your APIs.

Exploring APIs with ZAP

Mon, 03 Apr 2017 00:00:00 +0000

APIs can be challenging for security testing for a variety of reasons.
The first problem you will encounter is how to effectively explore an API - most APIs cannot be explored using browsing or standard spidering techniques.
However many APIs are described using technologies such as:

These standards define the API endpoints and can be imported into ZAP using 2 optional add-ons.

Introducing the JxBrowser add-on for ZAP

Mon, 06 Feb 2017 00:00:00 +0000

As modern web applications are increasing their reliance on JavaScript, security tools that do not understand JavaScript will not be able to work effectively with them. ZAP already has components like the Ajax Spider and DOM XSS scanner that work by launching browsers and controlling them via Selenium, and we are planning to make much more use of browsers in the future.

Announcing the ZAP Jenkins Plugin

Tue, 22 Nov 2016 00:00:00 +0000

Using ZAP during the development process is now easier than ever. We are proud to present the Jenkins plugin, it extends the functionality of the ZAP security tool into a CI Environment.

The process explained

A Jenkins CI Build step initializes ZAP
Traffic flows (Regression Pack) through ZAP (Web Proxy)
ZAP modifies requests to include Vulnerability Tests
Target Application/Server sends Response back through ZAP
ZAP sends reporting data back to Jenkins
Jenkins publishes and archives the report(s)
Jenkins creates JIRA tickets for the alerts

The ZAP Jenkins plugin makes use of the readily available and diverse ZAP API, allowing you to use the same session files and scan policy profiles between ZAP and the Jenkins plugin, so they can be interchangeably loaded.

Announcing ZAP Unit Test Bounties

Mon, 22 Aug 2016 00:00:00 +0000

Unit tests are wonderful things, but they are painful to add to a mature project that doesn’t have enough of them. We would love to have more ZAP unit tests, and we are therefore launching a Unit Test Bounty program, where we pay for unit tests for specific areas of the ZAP codebase.

ZAP 2.5.0

Fri, 03 Jun 2016 00:00:00 +0000

ZAP 2.5.0 is now available.

This release contains a large number of enhancements and fixes which are detailed in the release notes.

API changes

There have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.

ZAP Newsletter - 2016 March

Tue, 29 Mar 2016 00:00:00 +0000

Introduction

Welcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting.

ZAP Newsletter - 2016 February

Fri, 19 Feb 2016 00:00:00 +0000

Introduction

Welcome to a slightly delayed February newsletter - we were holding on for some expected news that will now have to wait until next time ;)

ZAP Newsletter - 2016 January

Mon, 04 Jan 2016 00:00:00 +0000

Introduction

Happy New Year!
For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.

ZAP Newsletter - 2015 December

Tue, 15 Dec 2015 00:00:00 +0000

Introduction

Welcome to the second ZAP Newsletter.
And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week.

ZAP Newsletter - 2015 November

Mon, 02 Nov 2015 00:00:00 +0000

Introduction

Welcome to the first monthly ZAP newsletter.
We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools.
We also encourage contributions from people like yourself - see the last section for details.
Oh, and please let us know what you think of this newsletter via the Feedback Form!

ZAP Q&A Session - Tuesday 13th October 2015

Tue, 06 Oct 2015 00:00:00 +0000

The first online ZAP Q&A Session was held on Tuesday 13th October.

You can listen to a recording of the session here.

Please leave feedback via this Google Form.

Some links to resources mentioned in the session or related to the questions:

Note that you can download add-ons from within ZAP via the Marketplace.

ZAP as a Service (ZaaS)

Wed, 27 May 2015 00:00:00 +0000

At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS).
The slides are here and the video will hopefully be available soon.

The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode.
This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.

Alberto's GSoC 2014 Project for ZAP SOAP Scanner Add-On

Wed, 03 Sep 2014 00:00:00 +0000

Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner add-on for ZAP, in which I worked during all the Program. Let me explain you the features it includes.

Hacking ZAP #4 - Active scan rules

Wed, 30 Apr 2014 00:00:00 +0000

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #3 - Passive scan rules

Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user. You should only use active scan rules against applications that you have permission to attack.
You can also write active scan rules dynamically using scripts, as we will see later in this series, but even then it’s very useful to understand some of the concepts underlying classes available to you.

Hacking ZAP #3 - Passive scan rules

Thu, 03 Apr 2014 00:00:00 +0000

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #2 - Getting Started

One of the easiest ways to enhance ZAP is to write new passive scan rules.
Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.
They typically run against all of the requests and responses that flow through ZAP.
Passive rules run in separate background thread so that they have as little effect on performance as possible.

Hacking ZAP #2 - Getting Started

Thu, 20 Mar 2014 00:00:00 +0000

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #1 - Why should you?

In order to change the ZAP source code you will need to set up a development environment.

Requirements

The following software is used/required to obtain and build ZAP (core) and the add-ons:

Hacking ZAP #1 - Why should you?

Mon, 10 Mar 2014 00:00:00 +0000

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.

ZAP is an open source tool for finding vulnerabilities in web applications. It is the most active OWASP project and is very community focused - it probably has more contributors than any other web application security tool. It is being continually enhanced and, unusually for a security tool, has been translated into over 25 languages thanks to over 70 translators.
This series is designed to help newcomers dive head-first into the ZAP source code. However for this first blog post I thought I’d take a step back and give some reasons why you might want to change the ZAP source code in the first place.

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

Mon, 10 Dec 2012 00:00:00 +0000

We are getting close to releasing the next major version of ZAP.

As there are so many changes we’ve decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).

This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

ZAP Weekly Releases

Mon, 22 Oct 2012 00:00:00 +0000

I’ve been struggling with the question of ZAP releases.
We’ve made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our ‘full’ releases remain as robust and stable as possible.
I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.

OWASP ZAP – the Firefox of web security tools

Thu, 13 Sep 2012 00:00:00 +0000

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications. My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP. Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post: