The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Some of ZAP's functionality:
- Intercepting Proxy
- Traditional and AJAX spiders
- Automated scanner
- Passive scanner
- Forced browsing
- Fuzzer
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
- Web sockets support
- Authentication and session support
- Powerful REST based API
- Support for a wide range of scripting languages
- Automatic updating option
- Integrated and growing marketplace of add-ons
Some of ZAP's features:
- Open source
- Cross platform
- Easy to install (just requires java 1.7)
- Completely free (no paid for 'Pro' version)
- Ease of use a priority
- Comprehensive help pages
- Fully internationalized
- Translated into a dozen languages
- Community based, with involvement actively encouraged
- Under active development by an international team of volunteers
It supports the following languages:
- English
- Arabic
- Albanian
- Brazilian Portuguese
- Chinese
- Danish
- Filipino
- French
- German
- Greek
- Indonesian
- Italian
- Japanese
- Korean
- Persian
- Polish
- Russian
- Spanish