As part of my ongoing collection of reviews and thoughts on today’s Security Testing Tools, I’m taking a look at the Zed Attack Proxy (ZAP) by OWASP.  While, my last review of WebSecurify, looked at a very simplistic tool for Web Application Security Testing, this review will bring us a slightly more complex tool.


So where do we start?

ZAP is a pretty easy to use integrated penetration testing tool for finding vulnerabilities in your web applications.  Its designed for developers, testers and security experts, alike, by being designed for people with a wide range of security expertise.  Ideally, as OWASP freely admits, this tool is best for developers and testers who are new to penetration testing.  ZAP is available for Linux, Windows and Mac, so don’t let the platform get in your way of trying it out.

For a free tool, ZAP provides a lot of features including:Zap Proxy

  • Intercepting Proxy
  • Automated Scanner
  • Passive Scanner
  • Brute Force Scanner
  • Fuzzer
  • Port Scanner
  • Spider
  • and more…
While it’s not a one button click and run, it’s definitely not too challenging to get going.  Utilizing ZAP reminded me a lot ofNetsparker Pro, down to how its organized and layed out.  The tools runs relatively quickly is light weight and has a clean interface, which helps when analyzing large amounts of data.  The coverage and detail is really good, and the comprehensive help pages would be very useful for a security novice.  On top of everything else, the results of the scans ran fairly similar to other scanners I ran.  While I can’t certify there are no gaps in security analysis, from my quick look the coverage seemed pretty strong.
Surprisingly it has some decent report generation features as well.


So what’s the catch?  There’s always a catch…

Well, the reporting tool may not be the best reporting tool in the world, but it definitely beats paying an arm and a leg for a product giving you the same results of a scan.  This product is also maintained by the OWASP community, so your at the will of the community for any updates and the priority those updates are assigned in the queue.   But let’s be real: You can beat free?

Try it out today, let me know your thoughts in the comments.


Leave a comment

Your email address will not be published. Required fields are marked *