= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====ZAP in Ten - Video series====
An ongoing series of up to 10 minute videos about ZAP, starting with the basics.

The first episode and the full series are available via:

[[Image:01-ZAP-in-Ten-small.png | link=http://play.sonatype.com/watch/RyTy22GZV6UccW41UCghC8?]]
[[Image:02-ZAP-in-Ten-small.png | link=https://www.alldaydevops.com/zap-in-ten]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/v2.8.0/ZAPGettingStartedGuide-2.8.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== Donate to ZAP ==

<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy }}
</div>

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell+wiki@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Open Hub Stats ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| cellpadding="2" width="200"
|-
| rowspan="2" align="center" width="50%" valign="top" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" width="50%" valign="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" width="50%" valign="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [https://segment.com/ Segment]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 has been released (June 2019), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_8_0

</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

File:02-ZAP-in-Ten-small.png

2019-11-26T16:13:17Z

Psiinon:

2019-02-04T14:07:24Z

Psiinon:

GSoC2019 Ideas

2019-02-04T14:06:28Z

Psiinon: Added ZAP projects

OWASP Zed Attack Proxy Project

2018-06-14T08:06:37Z

Psiinon: Added Segment to list of supporters

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== Donate to OWASP ==
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation
|target=_blank
|budget=Other (Website Donation) }}</div>

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell+wiki@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| cellpadding="2" width="200"
|-
| rowspan="2" align="center" width="50%" valign="top" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" width="50%" valign="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" width="50%" valign="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [https://segment.com/ Segment]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the beginning of 2018 or (more likely) the middle of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

OWASP Vulnerable Web Applications Directory Project

2018-04-23T14:05:56Z

Psiinon: Corrected broken interview link

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==OWASP Vulnerable Web Applications Directory Project==

The OWASP Vulnerable Web Applications Directory Project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available for legal security and vulnerability testing of various kinds.

==Introduction==

Select from the above tabs to view all of the:
* On-Line applications
* Off-Line applications
* Virtual Machines and ISO images

==Description==

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)

The vulnerable web applications have been classified in three categories: On-Line, Off-Line, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 at: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html.

A brief description of the OWASP VWAD project is available at: http://blog.dinosec.com/2013/11/owasp-vulnerable-web-applications.html.

The associated GitHub repository is available at: https://github.com/OWASP/OWASP-VWAD.

==Licensing==
OWASP Vulnerable Web Applications Directory Projects is free to use. It is licensed under the Apache 2.0 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is VWAD? ==

OWASP VWAD provides:

* A list of all known vulnerable web applications.

== Presentation ==

Interview with [https://soundcloud.com/trustedsoftwarealliance/simon-bennetts-web Simon Bennetts – The OWASP Web Applications Vulnerability Project] .

== Project Leaders ==

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

== Related Projects ==

* N/A

== Open Hub ==

*https://www.openhub.net/p/OWASP-VWAD

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

* N/A - The project is self contained on the wiki.
* GitHub repository - https://github.com/OWASP/OWASP-VWAD

== News and Events ==
* [16 Oct 2013] Project created.

== In Print ==
N/A

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=On-Line apps=

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Online | Online}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Online source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Off-Line apps =

Vulnerable applications that have to be downloaded and used locally:

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline | Offline}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/OfflineOld | OfflineOld}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/OfflineOld source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Virtual Machines or ISOs =

VMs which contain multiple vulnerable applications:

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMs | VMs}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMs source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMsOld | VMsOld}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMsOld source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Acknowledgements =
==Volunteers==
VWAD is developed by a worldwide team of volunteers. The primary contributors to date have been:

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

==Others==
* [mailto:achim@owasp.org Achim Hoffmann]
* [[User:Zakiakhmad|Zaki Akhmad]]

==On-line resources used==
* [http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html Hacking Vulnerable Web Applications Without Going To Jail]
* [http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ Vulnerable Web Applications for learning]
* [http://code.google.com/p/owaspbwa/wiki/UserGuide OWASP BWA User Guide]

==Other vulnerable web-app compilations==
* [http://www.amanhardikar.com/mindmaps/Practice.html Penetration Testing Practice Labs - Vulnerable Apps/Systems]

= Road Map and Getting Involved =
As of March 5, 2014, all known Vulnerable Web Applications have been included.

Going forward the plan is to:
* Keep publicising
* Keep up to date with any new apps released or updated
* Review every 6 months to see if it could be improved in any way

Involvement in the development and promotion of the OWASP Vulnerable Web Applications Directory Project is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:
* Update the wiki with any missing apps
* Send pull requests to https://github.com/OWASP/OWASP-VWAD

=Project About=
{{:Projects/OWASP_Vulnerable_Web_Applications_Directory_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Breakers]]
[[Category:OWASP_Document]]

Reverse Tabnapping

2018-02-20T12:19:25Z

Psiinon: Blanked the page

Reverse Tabnabbing

2018-02-20T12:18:37Z

Psiinon: First version

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.

As well as the target site being able to overwrite the target page, any http link can be spoofed to overwrite the target page if the user is on an unsecured network, for example a public wifi hotspot. The attack is possible even if the target site is only available via https as the attacker only needs to spoof the http site that is being linked to.

The attack is typically only possible when the target site uses a "_blank" target attribute in the link and does not include any of the preventative measures detailed below.

==Examples==

Vulnerable page:

<pre>
<html><body>
<li><a href = "bad.example.com" target="_blank">vulnerable target</a>
</body></html>
</pre>

Malicious site that is linked to:

<pre>
<html><body>
<script>
if (window.opener) {
window.opener.location = "https://phish.example.com";
}
</script>
</body>
</pre>
When a user clicks on the ‘vulnerable target’ then the 'malicious' site is opened in a new tab (as expected) but the target site in the original tab is replaced by the phishing site.

==Prevention==

Any of the following options will prevent reverse tabnabbing:
* Do not use target="_blank" in a link
* Add the link attribute rel="noopener", rel="noreferrer" or rel="noopener noreferrer"

==References==

* https://dev.to/ben/the-targetblank-vulnerability-by-example - The target="_blank" vulnerability by example
* https://mathiasbynens.github.io/rel-noopener/ - About rel=noopener
* https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c - Target="_blank" — the most underestimated vulnerability ever

__NOTOC__

[[Category:Attack]]

Reverse Tabnapping

2018-02-20T12:09:49Z

Psiinon: first version of this page

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Reverse tabnapping is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.

As well as the target site being able to overwrite the target page, any http link can be spoofed to overwrite the target page if the user is on an unsecured network, for example a public wifi hotspot. The attack is possible even if the target site is only available via https as the attacker only needs to spoof the http site that is being linked to.

The attack is typically only possible when the target site uses a "_blank" target attribute in the link and does not include any of the preventative measures detailed below.

==Examples==

Vulnerable page:

<pre>
<html><body>
<li><a href = "bad.example.com" target="_blank">vulnerable target</a>
</body></html>
</pre>

Malicious site that is linked to:

<pre>
<html><body>
<script>
if (window.opener) {
window.opener.location = "https://phish.example.com";
}
</script>
</body>
</pre>
When a user clicks on the ‘vulnerable target’ then the 'malicious' site is opened in a new tab (as expected) but the target site in the original tab is replaced by the phishing site.

==Prevention==

Any of the following options will prevent reverse tabnabbing:
* Do not use target="_blank" in a link
* Add the link attribute rel="noopener", rel="noreferrer" or rel="noopener noreferrer"

==References==

* https://dev.to/ben/the-targetblank-vulnerability-by-example - The target="_blank" vulnerability by example
* https://mathiasbynens.github.io/rel-noopener/ - About rel=noopener
* https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c - Target="_blank" — the most underestimated vulnerability ever

__NOTOC__

[[Category:Attack]]

GSOC2018 Ideas

2018-01-17T14:42:47Z

Psiinon: Added Active Scanning Websockets

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Active Scanning WebSockets===
'''Brief Explanation:'''

ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.

We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.

'''Expected Results:'''
* An plugable infrastructure that allows us to active scan websockets
* Converting the relevant existing scan rules to work with websockets
* Implementing new websocket specific scan rules

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== React Handling ===
'''Brief Explanation:'''

ZAP doesnt understand React applications as well as it should be able to.

It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.

'''Expected Results:'''
* ZAP able to explore React applications more effectively
* ZAP able to attack React applications more effectively

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated authentication detection and configuration ===
'''Brief Explanation:'''

Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>

This is time consuming and error prone.

Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.

'''Expected Results:'''
* Detect login and registration pages
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
* An option to completely automate the authentication process, for as many authentication mechanisms as possible

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
'''Brief Explanation:'''

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

'''Expected Results:'''
* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Develop Bamboo Addon ===
'''Brief Explanation:'''

It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]

For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].

'''Expected Results:'''

A Bamboo addon that supports:
* Spidering (using the traditional and Ajax spiders)
* Active Scanning
* Authentication

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our Development Rules and Guidelines

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Frontend Technology Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== UI/Graphics Design Update ===

'''Brief Explanation:'''

The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.

'''Expected Results:'''
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way

''' Getting started: '''
* Get familiar with the existing HTML views and CSS of the frontend
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites

'''Knowledge Prerequisites:'''
* Strong web and graphic design experience
* Sophisticated HTML and CSS experience

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP Security Knowledge Framework==
===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding
===Your idea / Getting started===
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)
===Expected Results===
*Adding features to SKF project
**https://github.com/blabla1337/skf-flask/issues/369
**https://github.com/blabla1337/skf-flask/issues/367
**https://github.com/blabla1337/skf-flask/issues/68
**https://github.com/blabla1337/skf-flask/issues/95
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
*Adding/updating knowledge base items
*Adding CWE references to knowledgebase items
**https://github.com/blabla1337/skf-flask/issues/35
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated
**https://github.com/blabla1337/skf-flask/issues/352
===Knowledge Prerequisites===
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0
*For writing knowledgebase items only technical knowledge of application security is required
*For writing / updating code examples you need to know a programming language along with secure development.
*For writing the verification guide you need some penetration testing experience.
'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]

GSOC2018 Ideas

2018-01-12T10:56:20Z

2017-01-20T09:26:27Z

Psiinon:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
Javascript, Test Driven Development, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [mailto:bjoern.kimminich@owasp.org Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''
t.b.d.

'''Expected Results:'''
t.b.d.

''' Getting started: '''
t.b.d.

'''Knowledge Prerequisites:'''
t.b.d.

'''Mentors:'''
t.b.d.

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP Hackademic Challenges SAMPLE ENTRY==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you will be using Django to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.
* PEP8 compliant code
* Acceptable unit test coverage

''' Getting started: '''
Since this has been a popular project here's a suggestion on how to get started.
* Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository
* Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)
* Read on what Docker and Vagrant are and take a look at their respective py-libraries
* If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project)

'''Knowledge Prerequisites:'''
Python, test driven development, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in python using Django.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
* PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

''' Getting Started: '''
* Install and take a brief look around the old cms so you have an idea of the functionality needed
* It's ok to scream in frustration
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

'''Knowledge Prerequisites:'''
Python, Django, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

''' Getting started '''
* Check popular javascript guide tools such as: (http://introjs.com/ and http://github.hubspot.com/shepherd/docs/welcome/ )
* If you're more interested in system or non-web challenges check serverspec and definitely check quest (https://github.com/puppetlabs/quest)
* If you think contributing is a good idea to make yourself familiar with the project you can either port one of the existing simpler 1-page challenges to a docker container and submit a pull request or write a guide on how to create such a challenge

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

''' Getting started: '''
* Check what Vagrant/Docker is
* Port one simple 1-page challenge (you can use one we already have ) to docker or vagrant

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience, the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

''' Getting started '''
* Be awesome
* Have an idea
* Be a student
* Explain definite proof of the p vs np solution(jk, an algorithm that breaks RSA in polynomial time would be totally acceptable)

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[mailto:psiinon@gmail.com Simon Bennetts] and other members of the ZAP core team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
* A new feature that makes ZAP even better

'''Knowledge Prerequisites:'''
* Experience with Java will definitely help

'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP core team

OWASP Zed Attack Proxy Project

2016-12-20T16:29:39Z

Psiinon: added link to jenkins plugin homepage

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

<paypal>Zed Attack Proxy</paypal>

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br/>[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png||400px||ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (just requires java 1.7)
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.4.3==
ZAP 2.4.3 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_3

</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]

OWASP Zed Attack Proxy Project

2016-12-16T11:58:16Z

Psiinon: Replaced 2.4.0 vid with Jenkins one

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the official ZAP Jenkins plugin see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

<paypal>Zed Attack Proxy</paypal>

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br/>[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png||400px||ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (just requires java 1.7)
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.4.3==
ZAP 2.4.3 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_3

</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]