OWASP ZAP (Zed Attack Proxy) logo

OWASP ZAP (Zed Attack Proxy)

by OWASP · Since 2001
No reviews yet
ActiveFree tier
Quick facts
VendorOWASP
Year launched2001
StatusActive
LocationWilmington, DE, USA
Countries servedN/A
Languages16
IntegrationsN/A
Free tierYES
Free trialNO
Contact salesNO

About OWASP ZAP (Zed Attack Proxy)

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner. It acts as a manipulator-in-the-middle proxy to intercept, inspect, and modify traffic between a browser and a web application to find security vulnerabilities.

OWASP ZAP (Zed Attack Proxy) is a widely used, free, and open-source tool for web application security testing. Maintained by a global community under the OWASP Foundation, it helps developers and security professionals find and fix vulnerabilities. ZAP functions as a 'manipulator-in-the-middle proxy,' intercepting traffic between a browser and a web app for inspection and modification. It supports automated scanning, active attacks, and passive analysis. Key features include a spider for discovering content, a fuzzer for testing inputs, and robust API for CI/CD integration. ZAP is highly extensible via a marketplace of add-ons. It is a free tool with no paid tiers, supported by a large community. It is available for Windows, Linux, macOS, and as Docker images, making it a versatile choice for security testing.

Pros & Cons

Pros
  • Completely free and open-source, maintained by a large community.
  • Highly extensible through a marketplace of community-contributed add-ons.
  • Supports a wide range of security testing features, including automated, active, and passive scanning.
  • Provides a powerful API for integration into automated CI/CD pipelines.
  • Available on multiple platforms including Windows, macOS, Linux, and Docker.
Cons
  • The user interface can have a steep learning curve for beginners.
  • As an open-source tool, it lacks dedicated enterprise-level customer support.
  • Some advanced features may require scripting knowledge to fully utilize.

Features

Key features

Automated Scanning

Provides a range of options for security automation to find vulnerabilities.

Active and Passive Scanning

Scans applications for vulnerabilities both actively (by attacking) and passively (by observing traffic).

Fuzzer

Includes an advanced fuzzer for manual testing by sending unexpected or malformed data to an application.

API Support

Offers a REST API for integration into CI/CD pipelines and other automated workflows.

Extensible with Add-ons

A marketplace provides numerous add-ons to extend ZAP's functionality, contributed by the community.

Multi-platform Support

Available for Windows, Linux, and macOS, and as Docker images.

Additional features

Spidering

Automatically discovers new resources (URLs) on a web application.

WebSocket Support

Enables testing of applications that use WebSockets for communication.

Authentication Support

Provides mechanisms to handle various authentication schemes during scans.

Scripting

Supports scripting in multiple languages to customize ZAP's behavior.

Site Tree

Displays a hierarchical view of the sites and resources explored.

Proxy Functionality

Intercepts and inspects all HTTP/S traffic between the browser and the web application.

Alerts

Generates detailed alerts for identified vulnerabilities with risk levels and remediation advice.

Reporting

Can generate reports in various formats like HTML, XML, and JSON.

Pricing

Free trial
Free version
Request a quote
Promo Offer

Countries & Languages

Countries served
16
Interface languages
Billing currencies

Interface languages

EnglishArabicBosnianChineseFrenchGermanIndonesianItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkish

No reviews yet

Be the first to drop a review

Alternatives to OWASP ZAP (Zed Attack Proxy)

Enzoic logo

Enzoic

Enzoic, headquartered in Boulder, Colorado, is a cybersecurity company specializing in compromised credential detection and…

Appknox logo

Appknox

Appknox is a security software platform from Appknox that focuses on mobile and web application…

VerifyWP logo

VerifyWP

VerifyWP is a highly efficient, laser-focused tool in the WordPress Security and Code Integrity landscape.…

NowSecure Platform logo

NowSecure Platform

NowSecure Platform is a mobile application security testing (AST) solution. It provides continuous, automated testing…

Veracode for PCI Compliance logo

Veracode for PCI Compliance

Veracode is an Application Risk Management Platform that provides unified visibility and tools to detect,…

BugProve logo

BugProve

BugProve is an IoT security testing platform focused on firmware analysis. It examines firmware binaries…

Spot something wrong or outdated?

Suggest a correction — a reviewer verifies every change.

Often compared with OWASP ZAP (Zed Attack Proxy)

Compare any two tools →
Enzoic logo
Enzoic
Identity Management
0.0
Appknox logo
Appknox
Vulnerability Scanner
0.0
VerifyWP logo
VerifyWP
Vulnerability Scanner
0.0
NowSecure Platform logo
NowSecure Platform
Mobile Application Security Software
0.0