The Zed Attack Proxy (ZAP) is a web app scanner.
It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a tool for experienced pentesters to use for manual security testing.
At its core, ZAP is what is known as a “manipulator-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
ZAP provides functionality for a range of skill levels – from developers, to testers new to security testing, to security testing specialists. ZAP has versions for each major OS and Docker, so you are not tied to a single OS. Additional functionality is freely available from a variety of add-ons in the ZAP Marketplace, accessible from within the ZAP client.
This is free and open source software.
Website: github.com/zaproxy/zaproxy
Support:
Developer: Checkmarx
License: Apache License 2.0
ZAP is written in Java. Learn Java with our recommended free books and free tutorials.
Related Software
| Vulnerability Detection Tools | |
|---|---|
| Metasploit | Penetration testing framework |
| Nuclei | Fast and customisable vulnerability scanner |
| OpenVAS | Full-featured vulnerability scanner |
| Nikto | Web server scanner |
| Lynis | Auditing, system hardening, compliance testing |
| grype | Vulnerability scanner for container images and filesystems |
| OSSEC | Centralized architecture for monitoring and managing multiple systems |
| OpenSCAP | NIST Certified SCAP 1.2 toolkit |
| octoscan | Static vulnerability scanner for GitHub action workflows |
| Greenbone | Central management service between security scanners and the user clients. |
| Terrapin | Terrapin Vulnerability Scanner for the Terrapin attack |
| Tiger | Security audit and intrusion detection too |
| PRS | Web security scanner |
| Trivy | Terrapin Vulnerability Scanner for the Terrapin attack |
Read our verdict in the software roundup.
| Security Testing | |
|---|---|
| ZAP | Web app scanner |
| mitmproxy | Interactive HTTPS proxy |
| Wfuzz | Web application fuzzer and Python library for security assessments |
| sqlmap | Penetration testing tool |
| InterceptSuite | Network traffic interception tool |
| Dalfox | Identify cross-site scripting vulnerabilities in web applications |
| Commix | Python-based penetration testing tool |
| BURP | Accelerate application security testing |
Read our verdict in the software roundup.
Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Discovered a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |

