OWASP ZAP

Open-source web application security scanner — find vulnerabilities in your web apps.

Category: securityFirst released: 2010Created by: OWASP FoundationLicense: Apache-2.0Platforms: macOS, Linux, Windows

OWASP Zed Attack Proxy (ZAP) is the world's most popular free web application security scanner, maintained by the Open Web Application Security Project (OWASP). It functions as a man-in-the-middle proxy between the tester's browser and the web application, intercepting and inspecting messages for vulnerabilities. ZAP provides automated scanning, a powerful REST API for CI/CD integration, and both traditional spidering and AJAX spidering for discovering application content. The marketplace of community add-ons extends functionality with additional scanners, reports, and integrations. Suitable for both manual penetration testing by security professionals and automated security scanning in development pipelines, ZAP bridges the gap between developers and security teams by making web application security testing accessible and automatable.

Links

Official Website Documentation GitHub

Key Features

Intercepting proxyAutomated vulnerability scanningREST API for CI/CDAJAX spideringTraditional spiderMarketplace of add-onsScriptable via Zest, Python, JavaScript