OWASP ZAP (Zed Attack Proxy) is a powerful tool meant to help web developers and IT security professionals find security vulnerabilities in web applications, either automatically trough a series of scanners or manually through classic penetration testing methods.
As you've probably already figured out, OWASP ZAP is not a tool for any casual users. It's meant to be used by functional testers, web developers, and other people with enough experience in penetration testing or at least in general IT security. Anyway, its interface is intuitive and self-explanatory, and that's quite surprising when taking into consideration the fact that OWASP ZAP is also a comprehensive and feature-rich tool. For example, it can be used as an accurate intercepting proxy that lets you view the requests made to a web app and their responses, including AJAX calls. By setting breaking points one can even control these requests and responses live as they happen. Another cool feature of this powerful tool is the fact that it provides multiple “spiders” (tools to discover new resources (URLs) on a specific website), including one that supports AJAX. There are also both passive and active scanners that look to detect potential vulnerabilities by using known attacks against the selected target, as well as a “fuzzer” that lets you submit a large amount of invalid or unexpected data to a target to test its reaction. These are just a few of the many features, functions and built-in tools that OWASP ZAP provides. And the best thing about it is that it's an open source tool that can be used and modified freely by anyone.
It's also easy to install, as it only requires Java, and impressively effective, as it's a community-based utility that resulted from the collaboration of brilliant minds.
- Comprehensive help files.
- Open source.
- Powerful and feature-rich.
- Requires Java.