OWASP - User contributions [en]

Projects/OWASP Zed Attack Proxy Project/Releases/Current

2012-04-08T13:19:30Z

Axel Neumann: Redirected page to Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.4.0

#REDIRECT [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.4.0]]

Projects/OWASP Zed Attack Proxy Project

2012-04-08T13:16:53Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 = a.c.neumann@gmail.com
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = https://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.3.0
| links_name8 = Releases ZAP 1.3.0 / Assessment Process Control

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 = ZAP 1.3.1

| release_6 = ZAP 1.3.2

| release_7 = ZAP 1.3.3

| release_8 = ZAP 1.3.4

| release_9 = ZAP 1.4.0

| release_10 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.4.0

2012-04-08T13:14:16Z

Axel Neumann: Created page with "{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude> | project_name = OWASP Zed Attack Proxy Project | project_home_page = OWASP Zed Attack Proxy..."

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.4.0
| release_date = 08/04/2012

| release_description =

'''This release includes the following significant changes:'''

* Plugable extensions: Full extensions can now be plugged into ZAP dynamically with full access to all of ZAPs features.
* Syntax highlighting in the Response Panel: The HTML panels now support switchable syntax highlighting.
* fuzzdb integration: The fuzzer now includes fuzzdb (http://code.google.com/p/fuzzdb/) fuzzing files.
* Parameter analysis: A new Params tab shows a summary of all of the parameters a site has used.
* Enhanced XSS scanner: The Cross Site Scripting active scanner has been rewritten from scratch to find more potential XSS issues and report fewer false positives.
* Watcher passive checks ported to ZAP: Different checks have been ported from Watcher to ZAP (thanks to Chris Weber for permission).
* Tons of bug-fixes and minor improvements.

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 = a.c.neumann@gmail.com
| leader_username2 = Axel Neumann

| release_notes = http://code.google.com/p/zaproxy/wiki/HelpReleases1_4_0
}}

OWASP Zed Attack Proxy Project

2012-04-08T13:05:39Z

Axel Neumann:

{{OWASP Builders}}
{{OWASP Breakers}}
= Main =
{{Social Media Links}}
[[Image:ZAP-ScreenShotAddAlert.png|thumb|300px|right|ZAP Add Alert Screen Shot]]
[[Image:ZAP-ScreenShotHelp.png|thumb|300px|right|ZAP Help Screen Shot]]
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|300px|right|ZAP History Filter Screen Shot]]
[[Image:ZAP-ScreenShotSearchTab.png|thumb|300px|right|ZAP Search Tab Screen Shot]]

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

===OWASP ZAP is also the [http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html Toolsmith Tool of the Year for 2011!]===

'''Are you a student? Would you like to get paid to work on ZAP or other OWASP projects over the summer?'''

'''OWASP is taking part in the Google Summer of Code: https://www.owasp.org/index.php/GSoC2012_Ideas and ZAP is one of the projects you can work on! '''

[[Image:ZAP-Download.png |
link=http://code.google.com/p/zaproxy/downloads/list]]

'''The current version of ZAP is [http://code.google.com/p/zaproxy/wiki/HelpReleases1_4_0 1.4.0].'''

Want a very quick introduction? See the [http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf project pamphlet].

For a slightly longer introduction see the [http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt project presentation].

For video introductions to ZAP see the links on the [https://code.google.com/p/zaproxy/wiki/Videos wiki videos page].

'''For more details about ZAP, including the full user guide, see the [https://code.google.com/p/zaproxy/wiki/Introduction wiki].'''

<paypal>Zed Attack Proxy</paypal>

'''Some of ZAP's features:'''

* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Brute Force scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Spider]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsFuzz Fuzzer]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPortscan Port scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsApi API]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsBeanshell Beanshell integration]

'''Some of ZAP's characteristics:'''

* Easy to install (just requires java 1.6)
* Ease of use a priority
* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Under active development
* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Free (no paid for 'Pro' version)
* Cross platform
* Involvement actively encouraged

'''It supports the following languages:'''

* English
* Brazilian Portuguese
* Chinese
* Danish
* French
* German
* Greek
* Indonesian
* Japanese
* Persian
* Polish
* Spanish

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

= Roadmap =

Details of previous releases can be found [http://code.google.com/p/zaproxy/wiki/HelpReleasesReleases here]

==Release 1.4.0==
Version [http://code.google.com/p/zaproxy/wiki/HelpReleases1_4_0 1_4_0] has just been released.

Compared to previous releases, the 1.4.0 release adds the following main features:
* Support for ZAP-Extensions (Plugable extensions)
* Syntax highlighting in the Response Panel
* fuzzdb integration
* Parameter analysis
* Enhanced XSS scanner
* Tons of bug-fixes and minor improvements

==Future Releases==

Future releases are likely to include:
* Fuzzing analysis
* API extensions
* Enhancements and fixes logged on the [https://code.google.com/p/zaproxy/issues/list issues page]

= Get Involved =

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

If so then please get in touch.

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.



= Project About =
{{:Projects/OWASP Zed Attack Proxy Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.2

2011-08-21T10:27:16Z

Axel Neumann:

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.3.2
| release_date = 08/21/2011

| release_description =

'''This release is a bugfix release without any new features. Compared to older releases, the 1.3.x branch includes the following significant changes:'''

* Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
* Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
* Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
* API: An initial API has been implemented in XML, JSON and HTML.
* Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
* Full internationalisation: All displayed strings are now fully internationalised.
* Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 = a.c.neumann@gmail.com
| leader_username2 = Axel Neumann

| release_notes = http://code.google.com/p/zaproxy/wiki/HelpReleases1_3_2
}}

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.2

2011-08-21T10:26:05Z

Axel Neumann:

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.3.2
| release_date = 08/21/2011

| release_description =

'''This release is a bugfix release without any new features. Compared to older releases, the 1.3.x branch includes the following significant changes:'''

* Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
* Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
* Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
* API: An initial API has been implemented in XML, JSON and HTML.
* Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
* Full internationalisation: All displayed strings are now fully internationalised.
* Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 = a.c.neumann@gmail.com
| leader_username2 = Axel Neumann

| release_notes = http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.3.1/Notes
}}

Projects/OWASP Zed Attack Proxy Project

2011-08-21T10:23:33Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 = a.c.neumann@gmail.com
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = https://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.3.0/Assessment
| links_name8 = Projects / OWASP Zed Attack Proxy Project / Releases / ZAP 1.3.0 / Assessment

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 = ZAP 1.3.1

| release_6 = ZAP 1.3.2

| release_7 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project/Releases/Current

2011-08-21T10:21:35Z

Axel Neumann: Redirected page to Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.2

#REDIRECT [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.2]]

Projects/OWASP Zed Attack Proxy Project/GPC/Assessment/ZAP 1.3.2

2011-08-21T10:20:30Z

Axel Neumann: Created page with "{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Release Rating</noinclude> | rating = -1 | criteria_version= 2 | project_name= OWASP Zed Attack Proxy Project | release_na..."

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Release Rating</noinclude>
| rating = -1
| criteria_version= 2
| project_name= OWASP Zed Attack Proxy Project
| release_name= ZAP 1.3.2
}}
<noinclude>[[Category: Release Assessment]]</noinclude>

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.2

2011-08-21T10:18:21Z

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.3.2
| release_date = 08/21/2011

| release_description =

'''This release is a bugfix release without any new features. Compared to older releases, the 1.3.x branch includes the following significant changes:'''

* Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
* Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
* Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
* API: An initial API has been implemented in XML, JSON and HTML.
* Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
* Full internationalisation: All displayed strings are now fully internationalised.
* Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| release_notes = http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.3.1/Notes
}}

OWASP Zed Attack Proxy Project

2011-08-21T10:15:50Z

Axel Neumann:

{{OWASP Builders}}
{{OWASP Breakers}}
==== Main ====
[[Image:ZAP-ScreenShotAddAlert.png|thumb|300px|right|ZAP Add Alert Screen Shot]]
[[Image:ZAP-ScreenShotHelp.png|thumb|300px|right|ZAP Help Screen Shot]]
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|300px|right|ZAP History Filter Screen Shot]]
[[Image:ZAP-ScreenShotSearchTab.png|thumb|300px|right|ZAP Search Tab Screen Shot]]

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

[[Image:ZAP-Download.png |
link=http://code.google.com/p/zaproxy/downloads/list]]

'''The current version of ZAP is [http://code.google.com/p/zaproxy/wiki/HelpReleases1_3_2 1.3.2].'''

<paypal>Zed Attack Proxy</paypal>

'''Some of ZAP's features:'''

* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Brute Force scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Spider]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsFuzz Fuzzer]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPortscan Port scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsApi API]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsBeanshell Beanshell integration]

'''Some of ZAP's characteristics:'''

* Easy to install (just requires java 1.6)
* Ease of use a priority
* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Under active development
* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Free (no paid for 'Pro' version)
* Cross platform
* Involvement actively encouraged

'''It supports the following languages:'''

* English
* Brazilian Portuguese
* Chinese
* French
* Danish
* German
* Greek
* Indonesian
* Japanese
* Polish
* Spanish

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

==== Roadmap ====

Details of previous releases can be found [http://code.google.com/p/zaproxy/wiki/HelpReleasesReleases here]

==Release 1.3.2==
Version [http://code.google.com/p/zaproxy/wiki/HelpReleases1_3_2 1.3.2] has just been released, which is the second bugfix release of the 1.3.x branch.
Compared to previous releases, the 1.3.x branch adds the following main features:
* Fuzzing (using components from [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz])
* Dynamic SSL Certificates
* Daemon mode and API to allow other tools to interact with ZAP
* [http://www.beanshell.org/home.html BeanShell] integration
* Full internationalization
* Out of the box support for 10 languages

==Future Releases==

Future releases are likely to include:
* Further improvements to the passive and active automated scanners
* Further improvements the Spider
* Fuzzing analysis
* API extensions

====Get Involved====

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group] for feadback:
* What do like?
* What dont you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

If so then please get in touch.

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expect to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.



==== Project About ====
{{:Projects/OWASP Zed Attack Proxy Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

Projects/OWASP Zed Attack Proxy Project

2011-07-05T20:47:43Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 =
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.1.0
| links_name8 = GPC Project Assessment/OWASP Zed Attack Proxy Project/ZAP 1.1.0

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 = ZAP 1.3.1

| release_6 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project

2011-07-05T20:43:49Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 =
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.1.0
| links_name8 = GPC Project Assessment/OWASP Zed Attack Proxy Project/ZAP 1.1.0

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 = ZAP 1.3.1

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project

2011-07-05T20:42:28Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 =
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.1.0
| links_name8 = GPC Project Assessment/OWASP Zed Attack Proxy Project/ZAP 1.1.0

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 = ZAP 1.3.1

| release_6 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.1/Assessment

2011-07-05T20:35:06Z

Axel Neumann: Created page with "Click here to return to project's main page == Stable Release Review of the OWASP Zed Attack Proxy Project - [[Projects/OW..."

[[:OWASP Zed Attack Proxy Project|Click here to return to project's main page]] 

== Stable Release Review of the OWASP Zed Attack Proxy Project - [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.1|Release ZAP 1.3.1]] ==

==== Project Leader for this Release ====
'''''[[User:Psiinon|Psiinon]]'s Pre-Assessment Checklist:'''''

{{ Pre-Assessment Questions - Tools
| 1. Is this release associated with a project containing at least the [[Assessing_Project_Health#Project_Wiki_Page_Minimal_Content|Project Wiki Page Minimum Content]] information?
= I believe so

| 2. Is your tool licensed under an open source license?
= Yes - Apache License 2.0, referenced on both http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project and http://code.google.com/p/zaproxy/

| 3. Is the source code and any documentation available in an online project repository?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 4. Is there working code?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 5. Is there a roadmap for this project release which will take it from Alpha to Stable release?
= Yes - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Roadmap

| 6. Are the Alpha pre-assessment items complete?
= I believe so

| 7. Is there an installer or stand-alone executable?
= Yes, for Windows, Linux and Mac OS (being generated now) - http://code.google.com/p/zaproxy/downloads/list

| 8. Is there user documentation on the OWASP project wiki page?
= There is some documentation on the project page http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project, but this also references the Google Code page which includes the full user guide: http://code.google.com/p/zaproxy/wiki/HelpIntro, the latter is generated from the java help pages - migrating it to the OWASP wiki could prove tricky

| 9. Is there an "About box" or similar help item which lists the following?
= Yes - there is an about box which include things like the license and OWASP project page link. The credits are in the help file and online here: http://code.google.com/p/zaproxy/wiki/HelpCredits

| 10. Is there documentation on how to build the tool from source including obtaining the source from the code repository?
= Yes - http://code.google.com/p/zaproxy/wiki/Building

| 11. Is the tool documentation stored in the same repository as the source code?
= Yes - http://code.google.com/p/zaproxy/source/browse/#svn/wiki

| 12. Are the Alpha and Beta pre-assessment items complete?
= I believe so

| 13. Does the tool include documentation built into the tool?
= Yes - a full help file is included which is also available online: http://code.google.com/p/zaproxy/wiki/HelpIntro

| 14. Does the tool include build scripts to automate builds?
= Yes - http://code.google.com/p/zaproxy/source/browse/trunk/build/build.xml

| 15. Is there a publicly accessible bug tracking system?
= Yes - http://code.google.com/p/zaproxy/issues/list

| 16. Have any existing limitations of the tool been documented?
= Yes - all known limitations raised as bugs

}}

==== First Reviewer ====
'''''[[User:Dr. Markus Maria Miedaner|Markus]]'s Review:''''' 
Ideally, reviewers should be an existing OWASP project leader or chapter leader.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?

=

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=

| 7. Does the tool substantially address the application security issues it was created to solve?
=

| 8. Is the tool reasonably easy to use?
=

| 9. Does the documentation meet the needs of the tool users and is easily found?
=

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=

}}

==== Second Reviewer ====
'''''[[User:EoinKeary|EoinKeary]]'s Review:''''' 
It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
=

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=

| 7. Does the tool substantially address the application security issues it was created to solve?
=

| 8. Is the tool reasonably easy to use?
=

| 9. Does the documentation meet the needs of the tool users and is easily found?
=Yes

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=

}}

__NOTOC__
<headertabs/>

Projects/OWASP Zed Attack Proxy Project/GPC/Assessment/ZAP 1.3.1

2011-07-05T20:33:41Z

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Release Rating</noinclude>
| rating = -1
| criteria_version= 2
| project_name= OWASP Zed Attack Proxy Project
| release_name= ZAP 1.3.1
}}
<noinclude>[[Category: Release Assessment]]</noinclude>

Projects/OWASP Zed Attack Proxy Project/Releases/Current

2011-07-05T20:32:32Z

Axel Neumann: Redirected page to Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.1

#REDIRECT [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.1]]

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.1

2011-07-05T20:30:29Z

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.3.1
| release_date = 07/05/2011

| release_description =

'''This release is a bugfix release without any new features. Compared to older releases, the 1.3.x branch includes the following significant changes:'''

* Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
* Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
* Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
* API: An initial API has been implemented in XML, JSON and HTML.
* Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
* Full internationalisation: All displayed strings are now fully internationalised.
* Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| release_notes = http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.3.1/Notes
}}

OWASP Zed Attack Proxy Project

2011-07-05T20:26:48Z

Axel Neumann:

{{OWASP Builders}}
{{OWASP Breakers}}
==== Main ====
[[Image:ZAP-ScreenShotAddAlert.png|thumb|300px|right|ZAP Add Alert Screen Shot]]
[[Image:ZAP-ScreenShotHelp.png|thumb|300px|right|ZAP Help Screen Shot]]
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|300px|right|ZAP History Filter Screen Shot]]
[[Image:ZAP-ScreenShotSearchTab.png|thumb|300px|right|ZAP Search Tab Screen Shot]]

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

[[Image:ZAP-Download.png |
link=http://code.google.com/p/zaproxy/downloads/list]]

'''The current version of ZAP is [http://code.google.com/p/zaproxy/wiki/HelpReleases1_3_1 1.3.1].'''

<paypal>Zed Attack Proxy</paypal>

'''Some of ZAP's features:'''

* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Brute Force scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Spider]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsFuzz Fuzzer]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPortscan Port scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsApi API]
* [http://code.google.com/p/zaproxy/wiki/HelpUiDialogsBeanshell Beanshell integration]

'''Some of ZAP's characteristics:'''

* Easy to install (just requires java 1.6)
* Ease of use a priority
* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Under active development
* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Free (no paid for 'Pro' version)
* Cross platform
* Involvement actively encouraged

'''It supports the following languages:'''

* English
* Brazilian Portuguese
* Chinese
* French
* Danish
* German
* Greek
* Indonesian
* Japanese
* Polish
* Spanish

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

==== Roadmap ====

Details of previous releases can be found [http://code.google.com/p/zaproxy/wiki/HelpReleasesReleases here]

==Release 1.3.1==
Version [http://code.google.com/p/zaproxy/wiki/HelpReleases1_3_1 1.3.1] has just been released, which is a bugfix release.
Compared to previous releases, the 1.3.x branch adds the following main features:
* Fuzzing (using components from [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz])
* Dynamic SSL Certificates
* Daemon mode and API to allow other tools to interact with ZAP
* [http://www.beanshell.org/home.html BeanShell] integration
* Full internationalization
* Out of the box support for 10 languages

==Future Releases==

Future releases are likely to include:
* Further improvements to the passive and active automated scanners
* Further improvements the Spider
* Fuzzing analysis
* API extensions

====Get Involved====

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group] for feadback:
* What do like?
* What dont you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

If so then please get in touch.

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expect to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.



==== Project About ====
{{:Projects/OWASP Zed Attack Proxy Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool|OWASP Alpha Quality Tool]] [[Category:OWASP_Download]]

Breakers

2011-06-23T14:23:45Z

Axel Neumann:

==== OWASP Breakers ====

{| width="100%"
|- valign="top"
|
'''Breakers Community'''

A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of security testing.

 '''Examples'''

TBA

 '''Target Audience'''

Application Security Professionals, Infrastructure Security Teams, Pentesters

 '''What Are OWASP Communities?'''

[http://www.owasp.org/index.php/Builders Builders], Breakers and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here]

|
[[Image:OWASP-vision.jpg]]

|}

==== The Community ====
      

{| cellspacing="1" cellpadding="1" style="width: 404px; height: 413px;"
|-
|   
| '''Erwin Geirnaert''' ''ZION SECURITY'' ''erwin.geirnaert@zionsecurity.com'' ''http://www.zionsecurity.com/'' ''@ZIONSECURITY''
|
|
|-
| [[Image:SimonBennetts-OWASP.jpg]] 
| '''Simon Bennetts''' [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] Lead psiinon@owasp.org http://pentest4devs.blogspot.com/ @psiinon
|
|
|-
|   
| '''Axel Neumann''' [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] @x3l_ch
|
|
|-
| Your pic; 
| '''Your name''' ''Your company/project'' ''Your email'' ''Your website'' ''Your twitter''
|
|
|-
| Your pic; 
| '''Your name''' ''Your company/project'' ''Your email'' ''Your website'' ''Your twitter''
|
|}

Want to contribute to the OWASP Breakers Community? Add your info here!
 

==== Roadmap ====
To be determined

==== Official Breaker Projects ====

To be determined

==== All Breaker Related Projects ====
All projects that are related to the OWASP Breakers community can be found at the following link: [[:Category:OWASP_Breakers]]

__NOTOC__ <headertabs />

Projects/OWASP Zed Attack Proxy Project/GPC/Assessment/ZAP 1.3.0

2011-06-15T15:56:28Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Release Rating</noinclude>
| rating = -1
| criteria_version= 2
| project_name= OWASP Zed Attack Proxy Project
| release_name= ZAP 1.3.0
}}
<noinclude>[[Category: Release Assessment]]</noinclude>

Projects/OWASP Zed Attack Proxy Project/Releases/Current

2011-06-15T15:52:20Z

Axel Neumann: Redirected page to Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0

#REDIRECT [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0]]

Projects/OWASP Zed Attack Proxy Project

2011-06-15T15:48:24Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 =
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.1.0
| links_name8 = GPC Project Assessment/OWASP Zed Attack Proxy Project/ZAP 1.1.0

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 = ZAP 1.3.0

| release_5 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

Projects/OWASP Zed Attack Proxy Project/GPC/Assessment/ZAP 1.3.0

2011-06-15T15:44:52Z

Axel Neumann: Created page with "TBA"

TBA

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0/Notes

2011-06-15T15:42:19Z

Axel Neumann: Created page with "The following changes were made in this release: == Significant changes: == '''Fuzzing''' Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF to..."

The following changes were made in this release:

== Significant changes: ==

'''Fuzzing'''

Strings in a response can now be fuzzed to try to find vulnerabilities.
Anti CRSF tokens can be detected and automatically regenerated when fuzzing.
This functionality is based on code from the OWASP JBroFuzz project.

'''Dynamic SSL certificates'''

The support for SSL connections was improved and simplified.
User's can now create their own root certificate and distribute this into their HTTP clients.

'''Daemon mode and API'''

Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode,
meaning that no UI is displayed.

An initial API has been implemented in XML, JSON and HTML.

If ZAP is running as a daemon then the API is automatically enabled, otherwise the API must be enabled via the Options API screen. 
The API can be navigated by opening http://zap/ in your browser when proxying via ZAP.

'''Beanshell integration'''

The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. These scripts are a simplified form of Java that use many elements from Java syntax, but in a simpler scripting format. All Java code is also valid BeanShell code. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set. This can be a very powerful feature for analyzing web applications.

'''Full internationalisation'''

All display string are now fully internationalised.

'''Localisation'''

Out of the box support for the following languages:
* English
* Brazilian Portuguese
* Chinese
* French
* German
* Greek
* Indonesian
* Japanese
* Polish
* Spanish

== Minor changes: ==

'''Hex view'''

The Request and Response tabs now provide a 'Hex View' option which will display the request and response bodies in hex format.

'''Search results'''

The Search tab now displays all instances of a string found rather than just the first instance in each request or response.

'''Exclude URLs'''

URLs can be explicitly excluded from the active scanner, spider and from the proxy.

'''Copy support'''

Most of the panels now provide a 'right click' 'Copy' menu option, including the Port Scan and Brute Force panels.

'''Undo/Redo support'''

All of the input fields now support Undo/Redo actions using the operating systems default Undo/Redo accelerators:
* Windows/Linux: Ctrl+Z / Ctrl+Y
* Mac OS X: Cmd+Z / Cmd+Shift+Z

'''Port scanner proxy support and timeout option'''

The Port Scanner can now use the outgoing proxy (if configured) and the timeout in milliseconds can also now be set.

'''Request and response break buttons'''

There are now 2 'Set Break' buttons to allow breaks to be set on all requests and all responses independently.

'''Expand Sites and Information tab buttons'''

There are now 2 buttons which allow you to switch between having the Sites and Information tabs expanded.

'''Break tab icon changes colour when break point hit'''

While the Break tab is not in use its icon is a grey cross.
When a break point is hit the tab icon is changed to a red cross.

'''Adjustable timeout'''

The Option: Connection screen allows you to set the timeout in seconds
to make it easier to test slow applications.

'''Library updates'''

Most of the libraries used by ZAP have been updated to the latest versions.

'''A new icon :)'''

Thanks to Simon Egli and all others for submitting cool icon suggestions.

== Known Issues: ==

'''Mac OS X: Dynamic SSL and Google Chrome'''

Currently Dynamic SSL is not working when using Google Chrome. This is because of an unresolved known issue with Google Chrome and Mac OS X Keychain. When importing OWASP ZAP's Root CA into the keychain and requesting a SSL website, an "Invalid certificate" error message is shown.

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0

2011-06-15T15:30:22Z

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Zed Attack Proxy Project
| project_home_page = OWASP Zed Attack Proxy Project
| release_name = ZAP 1.3.0
| release_date = 06/06/2011

| release_description =

'''This release includes the following significant changes:'''

* Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
* Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
* Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
* API: An initial API has been implemented in XML, JSON and HTML.
* Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
* Full internationalisation: All displayed strings are now fully internationalised.
* Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish

| release_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]
| release_download_link = http://code.google.com/p/zaproxy/downloads/list

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| release_notes = http://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Releases/ZAP_1.3.0/Notes
}}

Projects/OWASP Zed Attack Proxy Project

2011-06-15T15:19:01Z

Axel Neumann:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>

| project_name = OWASP Zed Attack Proxy Project

| project_home_page = OWASP_Zed_Attack_Proxy_Project

| project_description =
This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

| project_license = [http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0]

| leader_name1 = Psiinon
| leader_email1 = psiinon@gmail.com
| leader_username1 = Psiinon

| leader_name2 = Axel Neumann
| leader_email2 =
| leader_username2 = Axel_Neumann

| contributor_name[1-10] =
| contributor_email[1-10] =
| contributor_username[1-10] =

| pamphlet_link = http://www.owasp.org/images/e/e3/OWASP_ZAP_Flyer.pdf

| presentation_link = http://www.owasp.org/images/c/c8/Conference_Style_slides_for_ZAP.ppt

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-zed-attack-proxy

| project_road_map = http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project/Roadmap

| links_url1 = http://code.google.com/p/zaproxy/
| links_name1 = ZAP's Google Code page

| links_url2 = http://code.google.com/p/zaproxy/downloads/list
| links_name2 = Downloads

| links_url3 = http://code.google.com/p/zaproxy/issues/list
| links_name3 = Issues

| links_url4 = http://code.google.com/p/zaproxy/wiki/HelpIntro
| links_name4 = User Guide

| links_url5 = http://freshmeat.net/projects/zed-attack-proxy-zap
| links_name5 = Freshmeat page

| links_url6 = http://groups.google.com/group/zaproxy-develop
| links_name6 = Developer Group

| links_url7 = http://pentest4devs.blogspot.com/
| links_name7 = Penetration Testing for Developers Blog

| links_url8 = http://www.owasp.org/index.php/GPC_Project_Assessment/OWASP_Zed_Attack_Proxy_Project/ZAP_1.1.0
| links_name8 = GPC Project Assessment/OWASP Zed Attack Proxy Project/ZAP 1.1.0

| release_1 = ZAP 1.0.0

| release_2 = ZAP 1.1.0

| release_3 = ZAP 1.2.0

| release_4 =

| project_about_page = Projects/OWASP_Zed_Attack_Proxy_Project
}}

OWASP Zed Attack Proxy Project

2011-03-08T14:43:06Z

Axel Neumann:

==== Main ====
[[Image:ZAP-ScreenShotAddAlert.png|thumb|300px|right|ZAP Add Alert Screen Shot]]
[[Image:ZAP-ScreenShotHelp.png|thumb|300px|right|ZAP Help Screen Shot]]
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|300px|right|ZAP History Filter Screen Shot]]
[[Image:ZAP-ScreenShotSearchTab.png|thumb|300px|right|ZAP Search Tab Screen Shot]]

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

'''Please take our [http://www.kwiksurveys.com/online-survey.php?surveyID=IIEOLN_d6d2ce53 Online Survey] to let us know what you would like the developers to focus on.'''

[[Image:ZAP-Download.png |
link=http://code.google.com/p/zaproxy/downloads/list]]

'''The current version of ZAP is [http://code.google.com/p/zaproxy/wiki/HelpReleases1_2_0 1.2.0].'''

'''Some of ZAP's features:'''

* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsAscan Automated scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPscan Passive scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsBruteforce Brute Force scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsPortscan Port scanner]
* [http://code.google.com/p/zaproxy/wiki/HelpStartConceptsSpider Spider]

'''Some of ZAP's characteristics:'''

* Easy to install (just requires java 1.6)
* Ease of use a priority
* [http://code.google.com/p/zaproxy/wiki/HelpIntro Comprehensive help pages]
* Under active development
* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Free (no paid for 'Pro' version)
* Cross platform
* Involvement actively encouraged

'''It supports the following languages:'''

* English
* Brazilian Portuguese
* Chinese
* French
* German
* Greek
* Japanese
* Polish
* Spanish

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

==== Roadmap ====

Details of previous releases can be found [http://code.google.com/p/zaproxy/wiki/HelpReleasesReleases here]

==Release 1.3.0==

The developments planned for this release include:
* [http://www.beanshell.org/home.html BeanShell] integration
* Fuzzing (using components from [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz])
* APIs to allow other tools to interact with ZAP
* Full internationalization

==Future Releases==

Future releases are likely to include:
* Further improvements to the passive and active automated scanners
* Further improvements the Spider

====Get Involved====

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: http://code.google.com/p/zaproxy/issues/list

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group] for feadback:
* What do like?
* What dont you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [http://code.google.com/p/zaproxy/issues/list report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

If so then please get in touch.

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expect to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.



==== Project About ====
{{:Projects/OWASP Zed Attack Proxy Project}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool|OWASP Alpha Quality Tool]] [[Category:OWASP_Download]]