Open source web app scanner for finding security vulnerabilities during development and testing
- Stars15.3k
- Forks2.6k
- Open Issues859
Apache-2.0
- Java
- HTML
- Python
About OWASP ZAP
OWASP ZAP, the Zed Attack Proxy, is a web application security scanner that finds vulnerabilities in your web apps while you develop and test them. It sits between your browser and the target as an intercepting proxy, inspecting and modifying traffic along the way.
It automatically scans web applications for security issues and is also a capable tool for experienced pentesters running manual security tests. As a dynamic application security testing (DAST) tool, it probes running applications rather than reading their source code.
ZAP runs as a cross-platform Java desktop application and can be driven through automation for CI/CD pipelines. It is the world's most widely used web app scanner and is freely available to download and run on your own machine.
Key features
- Automatic scanning of web apps for security vulnerabilities
- Intercepting proxy for inspecting and modifying traffic
- Manual security testing tools for pentesters
- Dynamic application security testing (DAST)
- Automation support for CI/CD pipelines
Details
- First released
- 2015
- Platforms
- Linux · macOS · Windows
- Deployment
- offline-first
- Scan mode
- DAST web app scanner
- License
- Apache-2.0
- Language
- Java