-
Notifications
You must be signed in to change notification settings - Fork 2
RelatedTools
The following tools (in alphabetic order) and known to work well with (or even include explicit support for) ZAP:
BDD-Security is framework for security testing web applications through Behaviour Driven Development techniques
BDD-Security is a framework written in Java and based on JBehave and Selenium 2 (WebDriver
) that uses predefined security tests and an integrated security scanner to perform automated security assessments of web applications.
BDD-Security makes use of ZAP to perform the automated scanning in addition to the non-functional tests. Everything is driven from the JBehave stories, so it can all be executed from familiar build tools and integrated in continuous integration environments.
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. It has over 100 web vulnerabilities! It covers all major known web bugs, including all risks from the OWASP Top 10 project.
bWAPP includes ZAP as one of its tools of choice.
Dradis is an open source framework to enable effective information sharing, specially during security assessments.
The ZAP Proxy upload plugin parses OWASP Zed Attack Proxy XML reports.
Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.
The main purpose of Faraday is to re-use the available tools in the community to take advantages of them in a multiuser way.
The SpiderLabs
Research Team has added an example script to the OWASP ModSecurity
Core Rule Set (CRS) Project archive that will help users to quickly implement virtual patches for vulnerabilities identified by ZAP.
Minion is a security testing framework built by Mozilla to bridge the gap between developers and security testers. To do so, it enables developers to scan their projects using a friendly interface.
It includes explicit support for ZAP and essentially allows you to run ZAP 'in the cloud'.
The OWASP AJAX Crawling Tool is tool which automates the crawling of AJAX applications. It can be daisy-chained with ZAP to find aspects of a web app that are missed by the spider.
A demo of the tool working with ZAP is here: http://vimeo.com/31059474
OWASP EnDE is a collection of tools for data encoding/decoding and conversion.
Achim (the project lead) has detailed how you can load EnDe
into the ZAP Script Console here: https://groups.google.com/d/topic/zaproxy-develop/IBWucSMKnZ8/discussion
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews.
Dinis has written a blog post on controlling ZAP via O2: http://blog.diniscruz.com/2012/11/using-jni4net-part-2-controling-owasp.html
OWASP Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
ZAP is included in Security Shepherd as the security tool to use when solving its challenges.
Seccubus automates vulnerability scanning with: Nessus, OpenVAS, NMap, SSLyze, Burp, Medusa, SkipFish and SSLlabs.
ZAP support was added in v2.13.
ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
ZAP is one of the dynamic scanners it explicitly supports:
https://github.com/denimgroup/threadfix/wiki/Dynamic-Scanners#owasp-zed-attack-proxy